local AJAX-call to remote site works in Safari but not in other browsers

Question

I am maintaining a website that uses Javascript. The script uses jQuery and loads some content from the server at which the site is normally hosted.

Just for conveni

Answer 1

CHROME

There is a plugin for chrome that will force it to ignore the security policy. You can also do this with flags. Note, please do not browse the "real web" with this enabled as it is a security risk for your computer.

FIREFOX

This thread indicates that there is presently no way to do this in firefox.

OPERA

Again, there does not appear to be a built in way to ignore CORS policies.

The alternative would be to have the server (http://my.domain.tld) in your case return the proper headers - specifically Access-Control-Allow-Origin:

Answer 2

Due to the same origin policy you aren't normally able to request resources from a different domain. Try adding crossDomain: true to your AJAX request since you are trying to make a request to a different domain.

$.ajax({
    url: 'http://my.domain.tld/cgi-bin/myPerlScript.pl',
    crossDomain: true,
    data: "lastID=" + lastID
       + '&qkz=' + Math.random(),
       dataType: "json",
       success: JSONreceive,
       error: JSONerror
});

Answer 3

Assuming the web site is domain A, and the perl script is on Domain B, you have two options: 1) Enable CORS on the web server at Domain B. http://enable-cors.org/ 2) Create a script (php, perl, ashx, etc) on Domain A that calls the script on Domain B. The script on Domain A will act as a proxy and will be allowed by all web browsers.

Answer 4

To avoid this issues, you should develop your page (in your local computer it's ok) using a webserver (like apache, nginx, ...), so, your url ajax calls starts with the protocol http or https, not "file". "File" is the path of your file but using SO path system, not a web server system.

In the other hand, browsers has "Same Origin Policy". This is a security feature but what are the "problems" in web development using ajax calls? Well, your ajax calls always be done to the same server, for example, if you have your web on domain "http://my-domain.com" then your ajax calls must be to the same domain "http://my-domain.com".

To "bypass" SOP in ajax calls, you have three solutions:

• Create a proxy on your "my-domain.com" that use curl (in php for example) to retrieve the data and return it to your ajax call
• Use JSON-P
• Allow your domain in your webserver (.htaccess for example) setting a proper configuration to CORS: http://enable-cors.org/

BTW

I am going to answer: "Please can anyone explain what is so risky to call data via Ajax from an other domain". (Copy & paste from mozilla MDN https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)

The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. Same-origin Policy is used as a means to prevent some of the Cross-site Request Forgery attacks.