3

I am building an AJAX application to query an OData endpoint. I've been doing some testing with the Netflix OData feed and found something I don't get:

When I make an .ajax() request to a url (e.g. http://odata.netflix.com/v1/Catalog/Titles) I get the error: "Origin null is not allowed by Access-Control-Allow-Origin". However when I put the same url into my browser the request goes through and I get a response.

What is the fundamental difference here that I'm not getting? How is the browser bypassing the Same Origin Policy?

Alex
  • 31
  • 2

2 Answers2

2

I also used JSONP for Netflix's OData. It seems to work fine for my application. I have posted the code and explaination under my blog http://bit.ly/95HXLM

Some sample fragment below as well:

49.        // Make JSONP call to Netflix
50.     $.ajax({
51.            dataType: "jsonp",
52.            url: query,
53.            jsonpCallback: "callback",
54.            success: callback
55.            });
56.        });
57. 
58.    function callback(result) {
59.        // unwrap result
60.        var movies = result.d.results;
61. 
62.        $("#movieTemplateContainer").empty();
63.        $("#movieTemplate").tmpl(movies).appendTo("#movieTemplateContainer");
64.    }
Peter O.
  • 32,158
  • 14
  • 82
  • 96
Doris Chen
  • 700
  • 3
  • 13
  • is this jsonpCallback specific to the Netflix odata endpoint or is it common with all (or many ) Odata services? – klumsy Apr 19 '13 at 07:47
1

The same origin policy applies to HTTP requests issued from within code loaded with pages from remote sites. That code is disallowed by the machine from issuing new requests for content from different domains, under the assumption that you, the user in control, were OK with fetching content from haxors.r.us, but you wouldn't want that site to issue HTTP requests to bankofamerica.com without your say-so. However, the browser should allow you, the user in control, to issue HTTP requests to anywhere. Indeed, with Humanity fading in the shadow of the Machine, I demand it. I demand it!

You can make requests to that URL from your server, and then pass along the response to your code on the client (after any sort of filtering or extraction your server code may choose to do). Alternatively, Netflix may support a JSONP API, which would allow your client-side code to issue GET requests as script fetches, with results to be interpreted as Javascript code.

Also it should be noted that this policy has nothing at all to do with jQuery itself. It's a basic security rule on the XMLHttpRequest mechanism.

Pointy
  • 405,095
  • 59
  • 585
  • 614
  • Yeah, I've been making requests in JSONP (specifying a callback) and it has worked for everything except the retrieval of the OData $metadata document. For that, I can put the request through, and it returns the data (in XML) but then I think it attempts to execute it as a script. Is there some way to circumvent that or should I just make this a new question? :P – Alex Nov 02 '10 at 18:40
  • Well if the Netflix URL (or API, whatever you want to call it) is returning XML, there's not much you can do about that. Is there a related URL that returns a JSONP result? The way JSONP works is that the client library creates a new ` – Pointy Nov 02 '10 at 21:35