I have a question on the concept cross domain JavaScript.
There is server(ex amazon.com) where in only selected domains can use their web-service.
So definitely, if I try to use their service, from my local, I cannot.
I got this on my console
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at
http://football20.myfantasyleague.com/2014/export?TYPE=rosters&L=52761&W=&JSON=0.
This can be fixed by moving the resource to the same domain or
enabling CORS.
PS: I used jquery cross domain way too, but didnt work.
But if some domain who is among the selected ones, to use Amazon's webservice, has a JavaScript, which if we include in our html, it works.
<script src="http://example.com"></script>
They have a method to get response by Ajax.
My questions are:
- What happens when we refer a JavaScript file from an internet url. Do we have a local copy running on our machine?
- Is the httpRequest created, will have a request source as my domain or the xyz.
Best Answer
Important note up front: If the server at the other end doesn't enable it, there's nothing you can do in your client-side code that will allow a cross-origin ajax request.
Let me give you a background before answering your question:
Same-Origin Security Policy
Simply put, same-origin security policy makes sure that scripts from one origin may not fetch content from other origins. Now to explain you the concept of origin, let me quote part of the Wikipedia article of Same-Origin Security Policy:
So, for example, your JavaScript cannot download anything from (aka, make an HTTP request to) a web server other than the server it originated from. This is exactly why you cannot make XmlHttpRequests (aka AJAX) to other domains.
CORS is one way the server at the other end (not the client code in the browser) can relax the same-origin policy.
An Oversimplified Description about Cross Origin Resource Sharing (CORS).
Example: Say your site is
http://my-cool-site.com
and, you have a third party API at domainhttp://third-party-site.com
, which you can access via AJAX.And let's assume that a page from your server
my-cool-site.com
made a request tothird-party-site.com
. Normally, users browser will decline AJAX calls to any other site other than your own domain/subdomain per the Same-Origin Security Policy. But if the browser and the third party server supports CORS, following things happen:Browser will send and
Origin
HTTP header tothird-party-site.com
If the third party server accepts requests from your domain, it will respond with an
Access-Control-Allow-Origin
HTTP header:To allow all domains, third party server can send this header:
If your site is not allowed, browser will throw an error.
If the client's have fairly modern browsers that support CORS, and your third party server supports CORS as well, CORS can be useful to you.
In some obsolete browsers (IE8, for instance), you have to use a Microsoft-specific
XDomainRequest
object instead ofXMLHttpRequest
to make a call that will work correctly with CORS; this outdated now, all modern browsers (including from Microsoft) handle CORS inXMLHttpRequest
instead. But if you need to support obsolete browsers, this page describes it:Again, that's only necessary for obsolete browsers.
The above reasons are why you cannot use Amazon's web services from your script. And Amazon server will only allow downloading their JavaScript files to pages served from selected domains.
To answer your numbered questions:
See description on CORS to understand.