2

For two days, I have got around lots of forum sites, but I don't find exact solution of my problem. I have cross-site scripting problem. Web services of my application that is written with javascript, html and css get an error like;

"XMLHttpRequest cannot load...bla bla bla..Origin http://localhost:8088 is not allowed by Access-Control-Allow-Origin response header." Code I write is;

$.ajax({

async: false,
type: "GET",
url: "http://www.yem...om/Cata.../M...ogin2?username=blabla&password=blabla123",
dataType: "xml",
success: function(xml) {
    alert("CONTROL???");
    $(xml).find('Login').each(function(){
        var logResult = $(this).find('Result').text();
        alert(logResult);
        });


    }
  })

;

I see that I have to use JSONP. But when I write dataType: "*jsonp xml*" or dataType: "*jsonp text xml*", I get an error msg such as "SyntaxError: Parse Error" !

Also, I tried CORS Filter, but it needs web.xml but I don't have it. When I created and tried to work it, I failed!

Moreover, I tried cross domain requests with jQuery by James Padolsey http://james.padolsey.com/javascript/cross-domain-requests-with-jquery/ It works, but I haven't parsed data I receive. This plug-in uses Yahoo Query Language, because of that, controlling the data is different and not easy.

Is there any way left to figure my problem out? Please help me!

Best wishes.

séan35
  • 966
  • 2
  • 13
  • 37

4 Answers4

0

I was stuck with a similar problem as well. I found the solution to this question fixed my XSS problem: 'No Transport' Error w/ jQuery ajax call in IE

You do not have to use JSONP, as CORS works with an XML response. Did you try setting the support.cors property to true (solution in the above question)?

$.support.cors = true;

Community
  • 1
  • 1
NickT
  • 55
  • 2
  • I am sorry that I do not have a chance to verify your solution. I don't develop the project that contains the problem in the question any more. I don't even have installed platform to try this :) But, thanks for your contribution. – séan35 Sep 12 '14 at 10:52
0

You can write XML in Javascript function inside in /* comment */ and convert this function to text with method functionname.toString() and parsing text between "/*" and "*/" with JSONP's callback function, that works in all old browsers. Example xml_via_jsonp.js : 

function myfunc()
{/*
<xml>
<div class="container">
        <div class="panel panel-info col-lg-10 col-lg-offset-1 added-panel">
            <div class="panel-heading">Random1 - Random2</div>
            <div class="panel-body">
                <div>Random3</div>
            </div>
        </div>
    </div>
</xml>
*/}

function callback(func)
{
var myhtml = func.toString();
var htmlstart = myhtml.indexOf('/*');
var htmlend = myhtml.lastIndexOf('*/');
return myhtml.substr(htmlstart+2, htmlend-htmlstart-2);
}
Derozer
  • 69
  • 5
0

The cross domain restrictions exist for a reason. It protects internet users. It is in place to prevent programmers and hackers from doing a lot of harmful things.

There are some things that you can do to get around it. One of them being that you can do CORS Filter to allow requests from cross domains. You say that you don't have web.xml file. I am not sure what your project looks like, but if you are using web services, then should have some sort of a web.xml file somewhere. If you can't set that up, you are out of luck (short of using a nice proxy like YQL or something similar). Things like YQL, they have set their CORS Filter to allow requests from all domains. Calling YQL is an ajax call, just like the ajax call that you are trying to do. The big difference is that the YQL server has the CORS Filter setup, which the browser detects and allows the cross-domain request to proceed.

Once a CORS Filter is in place, then the browser will allow you to hit that domain from a different domain. Rather than looking for a way to hack that, you need to get your project set up to allow the cross origin requests.

If you don't control the webservices that you are trying to ping, then you are out of luck. Only the owner of the webservices will have access to the web.xml.

frosty
  • 21,036
  • 7
  • 52
  • 74
  • My application is a kind of Smart Tv application. I'm using Eclipse Enterprise Edition as an editor and Apache Tomcat 7.0 as a server. In my app, there is no web.xml file, but Tomcat has one. However, this app will be used in different TV's and if we think that app is a client and the TV system is a server, I don't have a chance to control all TV's. Because of that, I have to do something on client-side (my app.) rather than changing something on Apache Tomcat-side. – séan35 Feb 08 '12 at 08:32
  • Moreover, I received some data with James Padolsey's plugin which is based on YQL, but data which is come from webservices is different than expected data(xml), so i don't know how i can parse it. alert("CONTROL???") is processed but $(xml).find('Login').each(function(){...} is not processed! – séan35 Feb 08 '12 at 08:32
  • @séan35, in your example, you are trying to ajax to "http://www.yem...om/Cata.../M...ogin2?username=blabla&password=blabla123". Do you own that domain? Or who owns that domain? Whoever it is, they need to edit their webserver to allow for cross domain requests. Once they do that, your GoogleTV app (which is running from a browser, I am guessing) should work. – frosty Feb 13 '12 at 18:33
0

To get results in JSONP, append this to the end of the URL: &callback=?

Try this:

$.getJSON('http://www.yem...om/Cata.../M...ogin2?username=blabla&password=blabla123&callback=?', function(xml) {
    alert("CONTROL???");
    $(xml).find('Login').each(function(){
        var logResult = $(this).find('Result').text();
        alert(logResult);
    });
});

Cross domain scripting must be enabled on server side, too.

tpolyak
  • 1,234
  • 1
  • 9
  • 15
  • "SyntaxError: Parse Error" again! Also, I am not sure that if getJSON command is used for XML's or not. – séan35 Feb 08 '12 at 08:08