Javascript cross domain - "allow" other domains?

Question

Description of steps

Write "callback" function on my custom page in my domain (called "MyCallbackCallback", for the sake of argument)
Open new window (from different domain) and pass function name in as part of query string
New window does what it needs to do then tries to access "MyCallback" from my custom page

This obviously won't work and will return "Access denied" error.

If there was a way of "allowing" the 3rd-party domain access to my domain that would solve the issue, of course. Is there such a thing? I know there is in Action Script, but JavaScript??

NB - I am aware that setting "document.domain" on both pages, (or creating both pages in the same domain) will solve the issue, but I almost certainly won't have this option.

If the answer is "you can't" that's fine - I just need to know. I have spent many hours searching and can't find a simple answer (there may not be one!)

Ta, Rob

Getting cross domains to work is painfull... check this: http://easyxdm.net/ — jackJoe, Mar 18 '11 at 11:26
possible duplicate of [Ways to circumvent the same-origin policy](http://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy) — mgutt, Feb 28 '15 at 07:27

score 4 · Answer 1 · answered Mar 18 '11 at 11:24

4

It’s not exactly clear from your question, but if you’re trying to use CORS, the server you’re requesting data from should add an Access-Control-Allow-Origin HTTP header, like so:

Access-Control-Allow-Origin: http://example.org/

Or, if it’s a public resource:

Access-Control-Allow-Origin: *

Older browsers don’t support CORS. If you need a fully cross-browser-compatible solution, use JSONP.

answered Mar 18 '11 at 11:24

Mathias Bynens

144,855
52
216
248

Hi Mathias - this looks exactly what I'm looking for. I've just added "Access-Control-Allow-Origin: *" to the header, but the 3rd party page still can't access my method. Here is the error: "Permission denied for to get property Window.ProcessDocument" ....where "Window.ProcessDocument" is the method on my page... – LiverpoolsNumber9 Mar 18 '11 at 16:22
The wildcard allows all origins, a specific string allows 1 origin, but is there a way to allow a specific list of origins? Not seeing that in the W3 specs anywhere. – Craig Labenz Mar 06 '13 at 16:14
2

@CraigLabenz You could have your server read out the `Origin` header that the client sends, see if it matches the list of allowed origins, and then send back the single `Access-Control-Allow-Origin: [origin]` header. – Mathias Bynens Mar 07 '13 at 12:52

score 1 · Answer 2 · answered Mar 18 '11 at 11:25

1

Have a look at Cross-Domain AJAX requests:

JSONP is the only method compatible with older browsers though.

answered Mar 18 '11 at 11:25

ThiefMaster

310,957
84
592
636

score 0 · Answer 3 · answered Mar 18 '11 at 11:56

0

If you want cross-domain communication without serverside proxies (perfect for the kind of RPC that you are describing) then take a look at easyXDM.

You can find multiple demos here.

answered Mar 18 '11 at 11:56

Sean Kinsey

37,689
7
52
71

Thanks for the heads up, fixed now! – Sean Kinsey Oct 15 '13 at 06:50

Javascript cross domain - "allow" other domains?

3 Answers3

Linked