Antix Software

Want XML from an other website via JavaScript (AJAX)?

The Same Origin Policy

This dictates that content should be restricted to a single origin (scheme+host+port), for session security, and although it has not been strictly adhered to in browsers of the past, modern browsers are beginning to implement this policy more closely.

The problem is that, as always with these things progress is slow, and some browsers notably IE9, have implemented the security by simply locking down and not allowing for access by any means ("No Transport" error).

edit: turns out, IE8 & and IE9 do allow for limited support with the XDomainRequest object, for IE6 & 7 you could use flash as a work around.

Cross-Origin Resource Sharing

Other browsers have allowed such access using CORS which allows the server to decide what origins to allow access to its resource.

(Of course if you were talking JSON and not XML there is a convenient Hack called JSONP which will get you around the SOP in all browsers)

CORS is implemented in the browser, your client-side code and the services you access, so requires work for service providers as well to get it working.

Client-Side

For a Simple Cross-Origin Request, you should pass the Origin header in the service call, using jQuery, this is done by setting crossDomain to true (jQuery will check the domain you're on and the one you're calling to do this automagically).

$.ajax(
    "http://cor.sandbox/services/dataservice.svc/getdata",
    {
        type: "GET",
        crossDomain: true
    });

This will pass the following sort of thing to the server

GET http://cor.sandbox/services/dataservice.svc/getdata HTTP/1.1
Host: cor.sandbox
Connection: keep-alive
Origin: http://localhost:58264
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
Accept: */*

edit: in the case of IE9, the original call will not be made at all as jQuery core does not currently iron out the XDomainRequest wrinkle, there is discussion about this being added, its not clear whether they will or not

Server-Side

The server should then return headers in the response which allow the browser to accept the returned data, if they are not returned, the browser will reject

HTTP/1.1 200 OK
Content-Length: 184
Content-Type: application/xml; charset=utf-8
Access-Control-Allow-Origin: *

In ASP.NET you can add the following to web.config to return these headers, although its a sledge-hammer solution

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

References

http://www.w3.org/Security/wiki/Same_Origin_Policy

http://www.w3.org/TR/cors

http://en.wikipedia.org/wiki/Same_origin_policy

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

http://en.wikipedia.org/wiki/JSONP

http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/

http://encosia.com/using-cors-to-access-asp-net-services-across-domains/

http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

http://bugs.jquery.com/ticket/8283

http://easyxdm.net/wp/