CODEWITHSUNDEEP
ajaxhtmlcross-domainxml-rpc
ULLAS MOHAN.V
ULLAS MOHAN.V

Reputation: 1531

Access-Control-Allow-Origin issue in XMLRPC request

Am working in Mobile App develoment using HTML5 + Phonegap. Currently am working a mobile App using XMLRPC and its working fine. (Android and iOS)

I need to work the same application as a website in browsers. (using HTML5). But when am trying to Run my application on website i am getting this error :

XMLHttpRequest cannot load 'Client' URL'. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost <http://localhost/>' is therefore not allowed access.

When am search experts says that use JSONP. But using same XMLRPC method can i work it ?

For example ;

For a Login purposes am using ; 

$.xmlrpc({
  url: 'http://clienturl/xmlrpc/common',
  methodName: 'login',
  params: [Database_name','user_name','Password'],
  success: function(response, status, jqXHR) {
    alert('success'); },
  error: OnError
});

Its working fine as a Mobile Application.

But gets Access-Control-Allow-Origin cross domain issue when i am trying to run as a Website.

How can i fix this ?

Upvotes: 2

Views: 3050

Answers (1)

inf3rno
inf3rno

Reputation: 26137

By default the SOP (same origin policy) allows cross-origin requests, but it prevents receiving the responses of those requests. The Access-Control-Allow-Origin in your error message is a CORS (cross-origin resource sharing) header. It tells the browser that you allow reading the responses of a domain (your XMLRPC server's domain) by sending requests from another domain (your XMLRPC client's domain). So you have to send back CORS allow headers from your server if you want to call it with AJAX.

note: CORS won't work in old browsers.

Possible solutions:

  • If you call http://clienturl/xmlrpc/common from http://localhost then the 

    response.header('Access-Control-Allow-Origin', "*")

    is one not so secure solution according to this: Origin http://localhost is not allowed by Access-Control-Allow-Origin But you can always add another hostname (e.g. http://client.xml.rpc) for your client, for example by windows you can modify the hosts file and add a binding using the IIS server.

    I don't recommend this solution, because it is a security risk with the allow credentials header.

  • Another more secure options is to make a list of allowed hosts, check from which host you got the actual request, and send back the proper header:

    if (allowedHosts.contains(request.host))
    if (request.host== "http://localhost")
        response.header('Access-Control-Allow-Origin', "null");
    else
        response.header('Access-Control-Allow-Origin', request.host);
else
    response.header('Access-Control-Allow-Origin', server.host);

    This is the proper solution with multiple hosts, because if you allow credentials for *, then everybody will be able to read and write the session of a logged in user.

    By http://localhost and file:/// IRIs you have to use the null origin. I am unsure about other protocols, I guess in the current browsers you have to use null origin by them as well.

Upvotes: 1

Related Questions