Asked  7 Months ago    Answers:  5   Viewed   42 times

Help, if you can-

The situation: includes a remotely hosted javacript file (

The goal is to just get an alert from the remotely hosted php script on

I have tried the following code in stuff.js:

  type: "GET",
  url: "",
  dataType: 'jsonp',
  success: function(result) { alert(result); }

No luck.

  function(data) { alert(data); }

Also no luck.

On the php side I have tried both the following:

return json_encode(array(0 => 'test'));

echo json_encode(array(0 => 'test'));

In Firefox I get a security error. I understand that it thinks I'm violating the security model. However, according to the jquery documentation, I should be able to accomplish this.



The error seems to be a security feature of the Same Origin Policy: to simplify, you can only make AJAX requests for stuff on the originating server ( One way around this is to make a simple facade on the originating server, e.g.:

 // this file resides at
 echo file_get_contents(''
          . $possibly_some_other_GET_parameters );

Then, from, you can make an AJAX request for (which in turn makes a HTTP GET request from your web server to and sends it back to the browser).

To the browser, the request goes to the origin server, and is allowed (the browser has no way of knowing that the response comes from somewhere else behind the scene).


  • the PHP config at must have allow_url_fopen set to "1". Although this is the default setting, some servers have it disabled.
  • the request to is made from server, not from the browser. That means no cookies or user authentication data are sent to, just whatever you put into the request URL ("$possibly_some_other_GET_parameters").
Wednesday, March 31, 2021
answered 7 Months ago

To achieve this you can either do a synchronous ajax call like described in this answer, but that's something which is incredibly dangerous for the performance of your website.

Alternatively - and this is the right way - you should have an external variable whether the username is available, as soon as the user inputs something you do the request and if it's valid you change the variable otherwise you show an warning message. Next in your validateRegistration() function you only check the external variable (+ possible some form of callback, depending on where you call it from). The advantage being that the user can still continue doing things (like filling out the rest of the form) whilst the request is pending.

Saturday, May 29, 2021
answered 5 Months ago

Most likely, your server limits the number of concurrent connections per user to 1. Or, you are using sessions and the first script has it locked. The second script will be blocked until the first one releases its lock on the session file. Only use session_start() if you need to, and release the lock with session_write_close() as soon as you are done with it.

Edit: I'm not sure if this will work, but you could try it. Each time you want to update the session, call session_start(), update the session, then call session_write_close(). I'm not sure if you are allowed to do that multiple times in a script, but it seems like it should work.

Saturday, May 29, 2021
answered 5 Months ago

It is XSS and it is forbidden. You should really not do things that way.

If you really need to, make your AJAX code call the local code (PHP, ASP, whatever) on and make it behave like client and fetch whatever you need from and return that back to the client. If you use PHP, you can do this with fopen('', 'r') and then reading the contents as if it was a regular file.

Of course, allow_remote_url_fopen (or whatever it is called exactly) needs to be enabled in your php.ini.

Saturday, June 19, 2021
answered 4 Months ago

The solution that I came up with was to use cURL (as @waki mentioned), but a slightly modified version that supports SOAP. Then, instead of making the AJAX call to the third party API (which is configured incorrectly) I make the call to my local PHP file which then makes a SOAP call to third party API and passes the data back to my PHP file where I can then process it. This allows me to forget about CORS and all of the complexities associated with it. Here's the code (taken and modified from this question, but without the authentication).

$post_data = "Some xml here";
$soapUrl = ""; // asmx URL of WSDL

$headers = array(
    "Content-type: text/xml;charset="utf-8"",
    "Accept: text/xml",
    "Cache-Control: no-cache",
    "Pragma: no-cache",
    "Content-length: " . strlen($post_data),
); //SOAPAction: your op URL

$url = $soapUrl;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); // the SOAP request
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);

/* Check for an error when processing the request. */
if(curl_errno($ch) != 0) {
   // TODO handle the error


// TODO Parse and process the $response variable (returned as XML)
Tuesday, August 3, 2021
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :