AJAX cross domain request

[J.O.N.]

Hi all,

I am pretty new to the Express framework and have been looking in the
docs for an easy solution to cross domain AJAX requests. It seems
like there would be a simple solution to such a common problem, I am
sending AJAX posts from the browser using jquery to a server running
express that responds back based on the post data but the browser is
complaining:

XMLHttpRequest cannot load xxxxx. Origin xxxxx is not allowed by
Access-Control-Allow-Origin.

I have seen solutions that add a header to the response to set
res.header("Access-Control-Allow-Origin", "*"); and have tried to also
do this in vanilla node.js but I am just wondering if there is an easy
fix or option I can set on the server to avoid setting the header each
time.

Any help is greatly appreciated

[Damianos Mylonakis]

AJAX is indeeed fobridden to connect to other domains than the one already connected to. Thats the security model browsers have. The Access-Control-Allow-Origin header wont work on all browsers i think.

You can use JSONP to bypass the cross-domain limitation, and its supported by jquery (check the dataType jsonp option).

for setting a header for every response, check you can use a middleware.

[David Ellis]

If you still want to use AJAX in this way, (since your web service
must still guard against unauthorized requests that may be spoofing
the origin, or just using Firebug to inject code into your page and
make it "look" authentic, I see these Access Control headers as
absolute garbage), this is the magic incantation we came up with at
Agrosica for Node.js:

// The OPTIONS method to shut Firefox up
function handleOptions(request, response) {
response.writeHead(200, {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Method": "POST, GET, OPTIONS",
"Access-Control-Allow-Headers": request.headers["access-
control-request-headers"]
});
response.end();
};

Obviously, you'll need to change the "Access-Control-Allow-Method" to
list whatever HTTP methods you support, and the last line lets Firefox
know that you're perfectly fine with sending whatever headers it
wants, and then you can do whatever you want with them (including
ignore them) -- if you don't allow this, Firefox will complain that it
can't send the request with whatever headers it's asking to send, even
though its perfectly fine with barfing whatever headers it wants to
with "normal" GET/POST requests, including *gasp*, cross-site GET
requests! (Hyperlinks...)

David

On Aug 30, 4:28 am, Damianos Mylonakis <danmylona...@gmail.com> wrote:
> AJAX is indeeed fobridden to connect to other domains than the one already
> connected to. Thats the security model browsers have. The
> Access-Control-Allow-Origin header wont work on all browsers i think.
> You can use JSONP to bypass the cross-domain limitation, and its supported

> by jquery <http://api.jquery.com/jQuery.ajax/> (check the dataType jsonp
> option).
>
> for setting a header for every response, check you can use a middleware<https://groups.google.com/d/msg/express-js/_F8xgznDPno/uRKFkSsrM8kJ>
> .

[Luc Juggery]

Thanks a lot David,

I'll check this.

Regards,

Luc

--
You received this message because you are subscribed to the Google Groups "Express" group.
To post to this group, send email to expre...@googlegroups.com.
To unsubscribe from this group, send email to express-js+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/express-js?hl=en.

--
Luc

[vision media [ Tj Holowaychuk ]]

ps express supports app.options, so you can either use middleware or something

like:

app.options('/api/*', function(){ ...respond... })

to override the default

Tj Holowaychuk
Vision Media
President & Creative Lead

[AJ ONeal]

There's also connect-cors (my fork is connect-xcors, but I think my rewrite was pulled into master), which has some good smarts in it for dealing with white listing only some domains and hacks for MSIE.

Also, you can use foobar3000.com and helloworld3000.com to test cross-domain requests from your browser console.

Sent from my Android