I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I've read through Ways to circumvent the same-origin policy, but it seems the methods described there aren't appropriate for me:
- The document.domain method - only works on subdomains.
- The Cross-Origin Resource Sharing method - requires server cooperation.
- The window.postMessage method - seems to require opening a popup window?
- The Reverse Proxy method - A possible solution, but seems a bit too hard to setup.
- http://anyorigin.com - seems to not support SSL.
Is this it? Must I implement solution 4, which seems rather complicated, or am I missing something?
Sorry, it seems that anyorigin.com does support https.
The reason I naively thought it doesn't, is because the API in question returns JSON, and I thought I would actually just get a plain text response (as in my tests with using anyorigin.com on google.com). When it returned just an object, I figured something was broken.
It appears the object simply returns the parsed JSON, so I'm good to go!
Update - anyorigin.com stopped working with some https sites a few weeks after I posted this, so I went ahead and wrote whateverorigin.org, an open source alternative to anyorigin.
You can use Ajax-cross-origin a jQuery plugin. With this plugin you use jQuery.ajax() cross domain.
It is very simple to use:
$.ajax({
crossOrigin: true,
url: url,
success: function(data) {
console.log(data);
}
});
You can read more here: http://www.ajax-cross-origin.com/
JSONP should be on your list, and higher up. Pretty much the standard. It requires server cooperation, but most any API should know what they're doing and support it.
here is a real basic writeup of how it works
来源:https://stackoverflow.com/questions/7680776/how-to-circumvent-same-origin-policy-for-a-3rd-party-https-site