All geek questions in one place

Why does this ajax intersegment call really work?

I inadvertently wrote an AJAX NextBus cross-domain call (with jQuery):

$.ajax({ url: 'http://webservices.nextbus.com/service/publicXMLFeed?command=predictions&a=sf-muni&r=1&s=6294', dataType: 'xml', success: function(data) { do_stuff(); } });

The fact is that it works in all browsers, despite the fact that it came from a different domain. Given a single-origin policy, why does this really work?

The page is here: http://sftransitfirst.org/F/ , choosing a stop from the ajax dropdown triggers.

As expected, a similar call to the Google Maps API web services fails using the familiar Origin ... is not allowed by Access-Control-Allow-Origin (and it does not support jsonp).

+6
source share
2 answers

They must have explicitly allowed cross-domain access with something like this:

 <?php header('Access-Control-Allow-Origin: *'); ?>

Or with htaccess:

 <ifModule mod_headers.c> Header set Access-Control-Allow-Origin: * </ifModule>
+11
source

Many modern web APIs allow Domain Resource Sharing (CORS). CORS is a website method that voluntarily makes its pages available for cross-domain scripts. Access-Control-Allow-Origin HTTP header from the server signals to your web browser that you can allow the script to access the page using Ajax, even if the script runs on a different origin. If the server does not serve CORS headers, your browser will force SOP, as usual.

Most APIs prefer to host their pages in cross-domain scripts because they know that almost all of their users will want to access the API through Ajax from their own domains.

+5
source

Source: https://habr.com/ru/post/923975/

More articles:


All Articles