0

I've got a ASP.NET Webservice up and running using the [ScriptService] Attribute. From what I've read from this article:

http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

ASP.NET by defaults does not allow JSONP requests (injected into the DOM via to deny cross-domain-requests. Its does so by taking 2 measures:

1) only accept POST requests (script injection via always does GET) 2) deny connections sending a HTTP header Content-type other than "Content-type: application/json" (which browsers will not send).

I am familiar with the cross-domain issues and I know what JSONP is and I fully understand, why ASP.NET is by default restricted in that way.

But now, I have my webservice which is a public one, and should be open to everybody. So I explicitly need to enable cross-domain requests via Javascript to my Webservice, so that external websites can retrieve data via my webservice from jquery and alike.

I've already covered step (1) to allow requests via GET by modifiying the ScriptMethod Attribute this way: [ScriptMethod(UseHttpGet=true)]. I've checked with jQuery, GET requests now work (on same-domain). But how to get to fix point (2)?

I know about the Allow-Origin-* headers some browsers support, but afaik its not standard yet, and I don't want to force my users / customers to modify their HTTP headers for using my webservice.

To sum it up: I need the good practice to enable Cross-domain requests for ScriptingService for public Webservices via JSON. I mean there MUST be a way to have a Webservice public, that is what most webservices are about?

Dynalon
  • 6,577
  • 10
  • 54
  • 84

2 Answers2

0

Using legacy ASMX services for something like this seems like a lost cause. Try WCF which due to its extensible nature could very easily be JSONP enabled. So if you are asking for best practices, WCF is the technology that you should be building web services on the .NET platform.

Or if you really can't afford migrating to .NET 3.5 at the moment you could also write a custom http handler (.ashx) to do the job.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • I want to avoid WCF for two reasons: 1) The webservice existed as pure xml webservice from some time and is pretty mature, and i got clients using that webservice via xml and class proxys 2) the service runs under mono which does not do WCF – Dynalon Jul 19 '11 at 16:31
  • @Dyna, 1) add a WCF wrapper around your existing ASMX web service. Keep the existing ASMX service for legacy clients. 2) WCF runs fine on Mono (not all the bindings but if you stick to standard stuff it should work). But I understand your points. Well, in this case a simple `.ashx` would work great. – Darin Dimitrov Jul 19 '11 at 16:35
0

The jQuery ajax() function does have a 'crossDomain' property.

Pasted from jQuery.ajax()

crossDomain(added 1.5) Default: false for same-domain requests, true for cross-domain requests If you wish to force a crossDomain request (such as JSONP) on the same domain, set the value of crossDomain to true. This allows, for example, server-side redirection to another domain

Alban
  • 704
  • 1
  • 6
  • 11
  • if you specify dataType: jsonp as option to .ajax(), it does automatically do a cross-domain jsonp request. – Dynalon Jul 19 '11 at 16:38
  • Just offering in case you were not using JSONP. Let me do some more digging. I recently encountered this. On the other hand, we were sending custom headers, and you mentioned you don't want to force your users/customers to do so. – Alban Jul 19 '11 at 16:43