1

Im using Coda, and Im trying to write a program to use Javascript/Jquery to load nfl's html on their stats page (http://www.nfl.com/stats/player), and then remove all of the excess html. Resulting several lists of players and their stat's.

I've tried using `$('#container').load('http://www.nfl.com/stats/player').

This works fine in Coda, but I can't parse the html the way I want to.

In google chrome I get the error 

XMLHttpRequest cannot load http://www.nfl.com/stats/player. Origin null is not 
allowed by Access-Control-Allow-Origin.

From what I understand this is a security feature built into all browsers. Is there a workaround to this issue? Can I use a different type of request?

I understand that i should be using JSONP for this type of request, but I dont believe the nfl has an API that would make this possible.

I've seen questions like this get thrown around, but I don't think anyone's given a really good solid answer yet.

I think theres still a lot of people wondering if theres an easy way to $.get cross-domain HTML and parse it.

OneChillDude
  • 7,856
  • 10
  • 40
  • 79
  • 2
    Use server-side code to get the html. – Kevin B Aug 21 '12 at 15:32
  • 1
    Cross-domain scripting security is there for your protection, and you can't easily get around it. For an academic project I had to do something similar, and ended up having to write a proxy server in Python which pulled the document body, striped out the unwanted content, and returned the cleaned up html to our ajax javascript. This will likely be the easiest solution for you as well. – renab Aug 21 '12 at 15:33
  • Duplicate of [Ways to circumvent the same-origin policy](http://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy) and many others. – Quentin Aug 21 '12 at 15:36

1 Answers1

3

You're not allowed to do this because it can be used for XSS (cross site scripting) where scripts are accessed by scripts outside of the domain of the site. i.e. you can get cookie information or such this way.

You will have to do this server side. If you're using php you can use $content = file_get_contents('http://nfl.com/stats/player'); or you can do it using curl if you wish.

Otherwise the legit way to do it is through an API, but as you've pointed out that isn't an option in your case.

Thomas Clayson
  • 29,657
  • 26
  • 147
  • 224
  • So if I use server side, I can load the contents into my page, and then parse it with JS? – OneChillDude Aug 21 '12 at 15:40
  • 1
    @bwheeler96 Or, load it using server-side code, parse it with server-side code, and only return the relevant data to your client-side code, thus preventing malicious code from the 3rd party site from getting to your site. – Kevin B Aug 21 '12 at 15:42
  • Of course you can - essentially like this: `` but you don't want to do this. The whole point of preventing XSS is that you can't run javascript on someone else's website. If you download and pass it all to javascript then they're effectively bypassing the browser XSS prevention security as you're giving them easy access. As kevin says I would parse with php first! :) – Thomas Clayson Aug 21 '12 at 15:44
  • OK. So from what I can tell, I have a few options, just not JS. Thanks everyone! – OneChillDude Aug 21 '12 at 15:45
  • You can still use JS if you want. What you'll have to do is to create a php script which will do the downloading and parsing for you and then call **that** script with jquery's ajax functions. – Thomas Clayson Aug 21 '12 at 15:48