0

This Python code works fine

print 'foo'
params = {'memberId': '1'}
data = urllib.urlencode(params)
url = 'http://aaa.bbb.com/ccc/'
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
f = urllib2.urlopen(req)
response = f.read()

print '===>', response

response = eval(response.decode('unicode-escape'))   
f.close()

I am wondering what's the corresponding javascript code for this? I tried this, alerted "error". Currently I am on ddd.bbb.com. The web service is on aaa.bbb.com. I cannot set relative path for this.

Please advise on how to configure cross-domain. Thanks.

jQuery.ajax({
                        url: 'http://aaa.bbb.com/ccc',
                        type: 'GET',
                        contentType: "application/json",
                        dataType: "json",
                        data: {'memberId':'1'},
                        success: function (data) {
                            alert("ok");
                        },
                        error: function () {
                            alert("error");
                        }
                    });
wahaha
  • 915
  • 1
  • 6
  • 9
  • Set the url relative to the path of the script, not the full location with domain. – Austin Brunkhorst Nov 30 '12 at 23:57
  • 5
    You are running the latter one in a browser. Same origin policy is a browser-side protection (considering there's no a cross-domain configuration whatsoever, which I assume it is likely the case) – Alexander Nov 30 '12 at 23:59
  • Your content type say json but you aren't sending json. – Musa Dec 01 '12 at 00:00
  • @musa - does'nt matter what you're sending as that will be converted to a querystring anyway, it matters what you're receiving. Regular JSON requests are'nt normally supported (without CORS etc.) cross browser, as Alexander is saing, and comparing to Python is not relevant at all. – adeneo Dec 01 '12 at 00:10
  • To add onto @Alexander's comment: https://developer.mozilla.org/en-US/docs/Same_origin_policy_for_JavaScript – Incognito Dec 01 '12 at 01:09
  • Since you are trying to do a GET request you don't need any additional configuration. JQuery should figure out the rest for you. In python you eval the response, may be you need to use JSONP with JQuery to get the same effect, can you show an example response from 'http://aaa.bbb.com/ccc?memberid=1', try to let JQuery figure out stuff like content type as it's pretty good at it – BuddhiP Dec 01 '12 at 01:59

1 Answers1

1

There are approximately one gajillion (that's my technical estimate ;-) ) other Stack Overflow questions about Javascript's "same origin policy", and how you can work around it. I strongly recommend checking them out.

As a quick summary, your basic options are:

  1. use JSONP (this only works if aaa.bbb.com supports JSONP)
  2. get aaa.bbb.com to add ddd.bbb.com to it's "safe list" (there's a better term for it, but I forget it); if you control aaa.bbb.com this is probably your best bet
  3. if you can't do either of the above, setup a proxy service (Apache alone can handle this) to forward ddd.bbb.com/someUrl to aaa.bbb.com, so that the browser thinks you're hitting your own domain, but really the content comes from elsewhere.

And just so you understand the core problem, the gist of it is that browsers don't let code from evildomain.com access yourbank.com, as a security precaution. However, browsers will let you retrieve scripts from yourbank.com, no matter what your origin is, so you can exploit that using something called JSONP ... but for JSONP to work, the owner of yourbank.com has to support it (they have to tailor their scripts for you).

Browsers will also let you access yourbank.com if yourbank.com explicitly says "it's cool if evildomain.com messes with us". They do that by putting a special file in a special place on their site (I forget the details, but they're easy to look up).

If you can't do either of those, you can just get your evildomain.com server to go to yourbank.com for you. Servers aren't bound by the same restrictions as browsers, so they can visit any site they want. When it does, it can send you back the content it finds there, and this is known as a "proxy" (to yourbank.com through evildomain.com, which is the end doing the proxying).

Hopefully that clarifies matters a bit.

machineghost
  • 33,529
  • 30
  • 159
  • 234
  • Yeah you are right. I searched and there are a lot of results, tried a few but none of them worked. Please post one possible solution (or link) that you think would resolve this problem maybe? – wahaha Dec 01 '12 at 01:28
  • http://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy is the highest rated one I could find. – machineghost Dec 01 '12 at 01:29
  • I also improved my "quick summary" to give you a basic overview of your options. – machineghost Dec 01 '12 at 01:32
  • One last note: your python code above essentially is a proxy; if you were to make that script available on your site (eg. at `ddd.bbb.com/proxyToAAA`) then you could access aaa's stuff without violating the browser rules (because as far as the browser can see, you're not getting it from aaa, you're getting it from ddd). – machineghost Dec 01 '12 at 01:41