same-origin-policy

I am not sure if this is even possible. Basically I want to load a local html file on a client PC and have it make a request to a remote server. The data served up by the server is XML. When I say I am loading a file, I mean the URL in chrome appears as "file:///E:/..." This is the closest I have gotten to being able to load the XML. I inspected the network tab on the client end and its successfully loading, I just cant seem to get the XML into an element I can inspect: var script = document.createElement('script'); script.setAttribute('src', 'http://xxx.xx.xx.xxx:xxxx/myxmldata'); script

MDN says, when the credentials like cookies, authorisation header or TLS client certificates has to be exchanged between sites Access-Control-Allow-Crendentials has to be set to true . Consider two sites A - https://example1.xyz.com and another one is B- https://example2.xyz.com . Now I have to make a http Get request from A to B. When I request B from A I am getting, "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' http://example1.xyz.com ' is therefore not allowed access." So, I'm adding the following response headers in B response.setHeader("Access

I have a JavaScript app which uses the Google Drive API. I read how to open a standard sharing dialog here: https://developers.google.com/drive/web/manage-sharing <head> ... <script type="text/javascript" src="https://apis.google.com/js/api.js"></script> <script type="text/javascript"> init = function() { s = new gapi.drive.share.ShareClient('<MY_APP_ID>'); s.setItemIds(["<MY_FILE_ID>"]); } window.onload = function() { gapi.load('drive-share', init); } </script> </head> <body> <button onclick="s.showSettingsDialog()">Share</button> </body> Seems like I do everything right, when I click my

Why did the creators of the HTML DOM and/or Javascript decide to disallow cross-domain requests? I can see some very small security benefits of disallowing it but in the long run it seems to be an attempt at making Javascript injection attacks have less power. That is all moot anyway with JSONP, it just means that the javascript code is a tiny bit more difficult to make and you have to have server-side cooperation(though it could be your own server) The actual cross-domain issue is huge. Suppose SuperBank.com internally sends a request to http://www.superbank.com/transfer?amount=100&to=123456

I'm developing a JavaFX application that is mostly a glorified web page. It's a desktop application (it's no embedded into a web page) and it has a Web View for the main UI. The application itself serves the sole purpose of accessing Bluetooth devices using Bluecove because that's not possible directly with JavaScript on a web browser. The proof of concept works ok (I was able to call JavaScript code from Java and vice-versa) but I have one extra requirement of calling arbitrary web services/API from within JavaScript but this violates the same origin policy (similar to this on Android: Allow