Asked  7 Months ago    Answers:  5   Viewed   42 times

Help, if you can-

The situation:

http://foobar.com includes a remotely hosted javacript file (http://boobar.com/stuff.js).

The goal is to just get an alert from the remotely hosted php script on foobar.com

I have tried the following code in stuff.js:

$.ajax({
  type: "GET",
  url: "http://www.boobar.com/script.php?callback=?",
  dataType: 'jsonp',
  success: function(result) { alert(result); }
});

No luck.

$.getJSON("http://www.boobar.com/script.php?jsonp=?",
  function(data) { alert(data); }
);

Also no luck.

On the php side I have tried both the following:

return json_encode(array(0 => 'test'));

echo json_encode(array(0 => 'test'));

In Firefox I get a security error. I understand that it thinks I'm violating the security model. However, according to the jquery documentation, I should be able to accomplish this.

 Answers

35

The error seems to be a security feature of the Same Origin Policy: to simplify, you can only make AJAX requests for stuff on the originating server (http://foobar.com). One way around this is to make a simple facade on the originating server, e.g.:

 <?php
 // this file resides at http://foobar.com/getstuff.php
 echo file_get_contents('http://www.boobar.com/script.php?callback=?'
          . $possibly_some_other_GET_parameters );
 ?>

Then, from foobar.com, you can make an AJAX request for http://foobar.com/getstuff.php (which in turn makes a HTTP GET request from your web server to boobar.com and sends it back to the browser).

To the browser, the request goes to the origin server, and is allowed (the browser has no way of knowing that the response comes from somewhere else behind the scene).

Caveats:

  • the PHP config at foobar.com must have allow_url_fopen set to "1". Although this is the default setting, some servers have it disabled.
  • the request to www.boobar.com is made from foobar.com server, not from the browser. That means no cookies or user authentication data are sent to www.boobar.com, just whatever you put into the request URL ("$possibly_some_other_GET_parameters").
Wednesday, March 31, 2021
 
Gil
answered 7 Months ago
Gil
49

To achieve this you can either do a synchronous ajax call like described in this answer, but that's something which is incredibly dangerous for the performance of your website.

Alternatively - and this is the right way - you should have an external variable whether the username is available, as soon as the user inputs something you do the request and if it's valid you change the variable otherwise you show an warning message. Next in your validateRegistration() function you only check the external variable (+ possible some form of callback, depending on where you call it from). The advantage being that the user can still continue doing things (like filling out the rest of the form) whilst the request is pending.

Saturday, May 29, 2021
 
jeremyharris
answered 5 Months ago
91

Most likely, your server limits the number of concurrent connections per user to 1. Or, you are using sessions and the first script has it locked. The second script will be blocked until the first one releases its lock on the session file. Only use session_start() if you need to, and release the lock with session_write_close() as soon as you are done with it.

Edit: I'm not sure if this will work, but you could try it. Each time you want to update the session, call session_start(), update the session, then call session_write_close(). I'm not sure if you are allowed to do that multiple times in a script, but it seems like it should work.

Saturday, May 29, 2021
 
Norgul
answered 5 Months ago
73

It is XSS and it is forbidden. You should really not do things that way.

If you really need to, make your AJAX code call the local code (PHP, ASP, whatever) on blah.com and make it behave like client and fetch whatever you need from foo.com and return that back to the client. If you use PHP, you can do this with fopen('www.foo.com/blah.html', 'r') and then reading the contents as if it was a regular file.

Of course, allow_remote_url_fopen (or whatever it is called exactly) needs to be enabled in your php.ini.

Saturday, June 19, 2021
 
VieStar
answered 4 Months ago
32

The solution that I came up with was to use cURL (as @waki mentioned), but a slightly modified version that supports SOAP. Then, instead of making the AJAX call to the third party API (which is configured incorrectly) I make the call to my local PHP file which then makes a SOAP call to third party API and passes the data back to my PHP file where I can then process it. This allows me to forget about CORS and all of the complexities associated with it. Here's the code (taken and modified from this question, but without the authentication).

$post_data = "Some xml here";
$soapUrl = "http://yoursite.com/soap.asmx"; // asmx URL of WSDL


$headers = array(
    "Content-type: text/xml;charset="utf-8"",
    "Accept: text/xml",
    "Cache-Control: no-cache",
    "Pragma: no-cache",
    "SOAPAction: http://yoursite.com/SOAPAction",
    "Content-length: " . strlen($post_data),
); //SOAPAction: your op URL

$url = $soapUrl;

// PHP cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); // the SOAP request
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);

/* Check for an error when processing the request. */
if(curl_errno($ch) != 0) {
   // TODO handle the error
}

curl_close($ch);

// TODO Parse and process the $response variable (returned as XML)
Tuesday, August 3, 2021
 
wavyGravy
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :