This is an example of making a CORS request. If you have access to the server (which I assume you do since this is a request to localhost), you will need to add CORS-specific response headers. The simplest thing to do is to add the following response headers: Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE … Read more
PhoneGap you can just XHR directly to remote servers and it should “just work”. Cross-domain policy does not apply to PhoneGap (for a variety of reasons, basically because your app is essentially running off the file:// URI on-device). Please be aware that you will have to set up a whitelist for your apps to access … Read more
This breaks the Same origin policy. You cannot use a different port, even when using the same domain. You can use JSONP as Doug suggested. Or else, as another possible workaround, you could set up a very simple reverse proxy (using mod_proxy if you are on Apache). This would allow you to use relative paths … Read more
It is only considered to be the same if the protocol, host and port is the same: Same Origin Policy If you want to enable it you must follow Cross-Origin Resource Sharing (cors) by adding headers. Mozilla has examples You need to add Access-Control-Allow-Origin as a header in your response. To allow everyone (you should … Read more
In order for the global CORS config to work, the client must add these two headers in the OPTIONS request. Origin: http://host.com Access-Control-Request-Method: POST However the @CrossOrigin annotation requires just the “Origin” header. Your client probably adds the “Origin” header but is missing the “Access-Control-Request-Method”…..thats why it works for you with the @CrossOrigin, but doesn’t … Read more
For future reference, full CORS feature detection should look something like this: //Detect browser support for CORS if (‘withCredentials’ in new XMLHttpRequest()) { /* supports cross-domain requests */ document.write(“CORS supported (XHR)”); } else if(typeof XDomainRequest !== “undefined”){ //Use IE-specific “CORS” code with XDR document.write(“CORS supported (XDR)”); }else{ //Time to retreat with a fallback or polyfill … Read more
The following might explain things: http://markmail.org/message/5wrphjwmo365pajy Also, they employ some script hacks (e.g. inserting a script into the DOM to get requested data, instead of XHR).
It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there’s no good way for the user to check they’re using the HTTPS site they intend (unless the user really wants to check the source … Read more
My approach designates one domain as the ‘central’ domain and any others as ‘satellite’ domains. When someone clicks a ‘sign in’ link (or presents a persistent login cookie), the sign in form ultimately sends its data to a URL that is on the central domain, along with a hidden form element saying which domain it … Read more