Geek Answers Handbook

Same origin policy - PHP JavaScript call

I know this is a popular topic, but I have yet to find an answer that will be fully comprehensive.

I am trying to create an easy way for our "customers" to place a Google map on their website, which will indicate the positions of our customers (or their subsets) on the map. Clients are located in the MySQL database, which turns into XML on the fly using a PHP script (according to the Google example). This works fine on my website, but when I try to use it on another website, xmlHTTPRequest cannot look at PHP as a different domain.

I can get around this by writing a different PHP file in another domain that just reads the PHP file in the source domain. But not all of our clients will run PHP on their servers. Is there a way to return XML results from our database using JavaScript?

A few points:

  • The JavaScript that xmlHTTPRequest does is still sitting on our server - our clients reference it from the script tag. I thought this might be enough, but the "origin" (according to Chrome, anyway) is still considered domain # 2

  • This is great: if I use an absolute link in xmlHTTPRequest (e.g. request.open ('GET', 'http://mydomain.com/api/foo.php', true) then this will fail in IE, but if I use relative link ('/api/foo.php'), it will work.

  • I don't know enough about this, but can I use JSON? I saw: 'script src = "http: //..../someData.js? Callback = some_func"' but I don’t know how, I would make 'someData.js' look like JSON? (I think a lot about functions that are probably incorrect?).

  • I tried to add: header ("Access-Control-Allow-Origin: *"); on top of PHP that outputs XML, but it really doesn't do much that I can say!

  • If I use the PHP shell on the client server, what is the advantage of using a cURL request, and what is just file_get_contents or fopen?

Sorry, many questions, but any guidance would be greatly appreciated.

Bulk thanks

Mat

+4
source share
3 answers

A simple way to do this is to have your PHP script return something like:

callback_function(YOUR_DATA);

Then, in the JS script included in the client site, you dynamically insert <script> , where src points to your PHP script:

 (function() { var scriptElement = document.createElement('script'); scriptElement.type = 'text/javascript'; scriptElement.async = true; scriptElement.src = 'http://example.org/yourScript.php?data=...'; var container = document.getElementsByTagName('script')[0]; container.parentNode.insertBefore(scriptElement, container); })();

This method is called JSONP and should do exactly what you want;)

Another way to solve the problem is to enable cross-domain XMLHttpRequest in the content security policy. But I think that only Firefox 4 supports this right now.

+6
source

Can you use JSON instead of XML? If so, your 3) option is likely to be your best bet. There are security risks with this approach and should only be used for well-known and reliable sources.

Additional information: http://www.codeproject.com/KB/aspnet/JSONToJSONP.aspx

+1
source

JavaScript is the client side, but there is no database. JavaScript cannot directly retrieve from a MySQL database.

0
source

More articles:


All Articles