Best practices for getting cross-site JSON responses to POST?
https://stackoverflow.com/questions/207554
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm working on an intranet with several subdomains. I have control over each subdomain, so security of cross-site requests is not a concern. I have PHP scripts with JSON responses I'd like to call from multiple subdomains without duplication. For GET requests, I can do this with AJAX and JSONP, but that doesn't work with POST requests. Some alternatives I see, none of which seem very good:
- POST to a copy on local subdomain with minimal response, then GET full response from central location with JSONP
- Both POST and GET to a copy on local subdomain with JSON
- Use mod_rewrite to use local URLs with a central script on back end with JSON
- Use symlinks to use local URLs with a central script on back end with JSON
Am I missing something simpler? What would you do here?
Solution
just look at this https://developer.mozilla.org/En/HTTP_access_control page. All what you need - add header to all you scripts that accept post request. Example:
OTHER TIPS
You could write a simple reflector at the server side. Add a script to each domain that simply passes your ajax request on to the appropriate domain. This script can be very simple (1 or 2 lines of code), avoids your cross site scripting issues and means you don't need to duplicate the complicated business logic in your existing scripts.
It will cause extra work for your server, but that may not be a problem for you.
The closest example code I can find on the sites I manage is the following. Here we needed to be able to use Googles Chart API on an HTTPS connection (which it does not support yet). The solution was to add the following script that passed the calls on...
<?php
// Set header so our output looks like a PNG
header("Content-Type: image/png");
// Reflect the image from googles chart API
echo file_get_contents('http://chart.apis.google.com/chart?'.$_SERVER['QUERY_STRING']);
?>
I use REST approach in such cases. Search google for more information about REST.
If they're all subdomains of the the same domain, you can just add this code to every page:
document.domain = 'domain.com';
Then, just use plain xmlHttpRequest.
