Reputation: 6494
I understand the notion of the same-origin policy and the reasons for it, and I understand that cross-domain requests are possible with CORS. But I'd like to know if it's in any way possible, however unconventional it may be, to communicate with a server cross-domain when that server does not return the "Access-Control-Allow-Origin" header in responses.
I'm not trying to attack anything. I just want to legitimately login to a web application (I don't own the web app) from a remote domain and trigger some selected functionality that will result in retrieving some data.
Could someone tell me if this is even possible and how I might go about it. If it's not possibe to do an ajax call directly, then maybe even embed a hidden iframe containing the target web app in my own site and manipulate it somehow?
Upvotes: 0
Views: 281
Reputation: 17906
you can use yahoo query language for getting arround that :D
heres an extended jquery ajax function for dooing so
jQuery.ajax = function (e) {
function o(e) {
return !r.test(e) && /:\/\//.test(e)
}
var t = location.protocol,
n = location.hostname,
r = RegExp(t + "//" + n),
i = "http" + (/^https/.test(t) ? "s" : "") + "://query.yahooapis.com/v1/public/yql?callback=?",
s = 'select * from html where url="{URL}" and xpath="*"';
return function (t) {
var n = t.url;
if (/get/i.test(t.type) && !/json/i.test(t.dataType) && o(n)) {
t.url = i;
t.dataType = "json";
t.data = {
q: s.replace("{URL}", n + (t.data ? (/\?/.test(n) ? "&" : "?") + jQuery.param(t.data) : "")),
format: "xml"
};
if (!t.success && t.complete) {
t.success = t.complete;
delete t.complete
}
t.success = function (e) {
return function (t) {
if (e) {
e.call(this, {
responseText: t.results[0]
}, "success")
}
}
}(t.success)
}
return e.apply(this, arguments)
}
}(jQuery.ajax);
this will send the request to yql which has the correct accept-headers, and yql will return the content of the url requested even if it does not have the correct headers
Upvotes: 1