How to make a cross domain http get request using javascript?

Question

I'm trying to implement sms functionality in Dynamics CRM 2011. I've created a custom activity for this and added a button to the form of an SMS. When hitting the button, a sms should be send.

I need to make an http request for this and pass a few parameters. Here's the code triggered:

function send() {
var mygetrequest = new ajaxRequest()
mygetrequest.onreadystatechange = function () {
    if (mygetrequest.readyState == 4) {
        if (mygetrequest.status == 200 || window.location.href.indexOf("http") == -1) {
            //document.getElementById("result").innerHTML = mygetrequest.responseText
            alert(mygetrequest.responseText);
        }
        else {
            alert("An error has occured making the request")
        }
    }
}
var nichandle = "MT-1234";
var hash = "md5";
var passphrase = "[encryptedpassphrase]";
var number = "32497123456";
var content = "testing sms service";

mygetrequest.open("GET", "http://api.smsaction.be/push/?nichandle=" + nichandle + "&hash=" + hash + "&passphrase=" + passphrase + "&number=" + number + "&content=" + content, true)
mygetrequest.send(null)
}

function ajaxRequest() {
    var activexmodes = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP"] //activeX versions to check for in IE
    if (window.ActiveXObject) { //Test for support for ActiveXObject in IE first (as XMLHttpRequest in IE7 is broken)
        for (var i = 0; i < activexmodes.length; i++) {
            try {
                return new ActiveXObject(activexmodes[i])
            }
            catch (e) {
                //suppress error
            }
        }
    }
    else if (window.XMLHttpRequest) // if Mozilla, Safari etc
        return new XMLHttpRequest()
    else
        return false
}

I get the "access is denied error" on line:

mygetrequest.open("GET", "http://api.smsaction.be/push/?nichandle=" ......

Any help is appreciated.

Answer 1

Your AJAX requests by default will fail because of Same Origin Policy.

http://en.wikipedia.org/wiki/Same_origin_policy

Modern techniques allow CORS ( see artilce by Nicholas ) http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/

jQuery's Ajax allow CORS.

Another way to do it is to get the contents and dynamically generate a script element and do an insertBefore on head.firstchild ( refer jQuery 1.6.4 source line no : 7833 ) Google analytics code does some thing similar as well. you might want to take a look at that too.

Cheers.. Sree

Answer 2

The retrieving site has to approve cross domain AJAX requests. Usually, this is not the case.

You should contact smsaction.be or check their FAQ to see if they have any implementation in place.

Usually JSONP is used for cross domain requests, and this has to be implemented on both ends.

A good way to overcome this, is using your own site as a proxy. Do the AJAX requests to an script on your side, and let it do the call. In example PHP you can use cURL

Answer 3

For your example, when requesting from different domain error is:

XMLHttpRequest cannot load http://api.smsaction.be/push/?nichandle=??????&hash=?????&passphrase=[???????????]&number=????????????&content=???????????????. Origin http://server is not allowed by Access-Control-Allow-Origin.

For cross domains XMLHttp requests destination server must send Access-Control-Allow-Origin response header.

MDN: https://developer.mozilla.org/en/http_access_control

Answer 4

I suppose the SMS-service is in different domain. If so, you cannot make AJAX-call to it, because it violates same origin policy. Basically you have two choices:

1. Do the SMS-sending on server-side
2. Use JSONP

Also, is it really so that the passphrase and other secrets are visible in HTML? What prevents people from stealing it and using it for their own purposes?