Except for JSONP why is same domain policy is being followed?
For a successful cross-domain communication, we need to use dataType “jsonp” in jquery ajax call. JSONP or “JSON with padding” is a complement to the base JSON data format which provides a method to request data from a server in a different domain, something prohibited by typical web browsers.
Cross-origin resource sharing (or CORS) can be used to make AJAX requests to another domain.
A common problem for developers is a browser to refuse access to a remote resource. Usually, this happens when you execute AJAX cross domain request using jQuery Ajax interface, Fetch API, or plain XMLHttpRequest. As result is that the AJAX request is not performed and data are not retrieved.
The best way to bubble that error from the server side (using php) to the client side is to send a header through the Ajax request somewhere in the 400's (which is always associated with errors). Once the Ajax request receives this it will trigger your error function.
The Same Origin Policy has been implemented for security reasons ; quoting a relevant sentence from wikipedia :
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions.
A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.
Basically, you don't want any given website (like any website you might be surfing on -- and we all know people sometimes arrive on websites that you shouldn't trust) being able to access data from any other one (like your webmail, or account on a social network).
Because of Same origin policy.
The same-origin policy exists to prevent malicious use of resources. If there were no rules governing cross-domain script access, it would be trivial to wreak all manner of havoc on unsuspecting users. It would be easy, for example, for a malicious website to grab your session information to another site and execute actions on your behalf.
For one example, consider this:
You go to your favorite webmail program - it could be Gmail, Yahoo mail, Hotmail, or a private internal company webmail program.
After signing in and checking your email, you click a link to a malicious site which opens in a new tab.
The malicious site checks the http referer and sees that you came from your email account.
Using cross-domain scripting, the malicious site reaches back across into your email tab and downloads your address book and all your emails (or however many it can get before you close the popup).
Subsequently, after scanning your emails for passwords, financial data and other sensitive materials, it sends all your contacts an email from you endorsing the same site. And that's just one example. A more insidious plot would involve a malicious third party using your browser to spider your company's intranet, leaking classified information with you as the unwitting accomplice!
More on http://jimbojw.com/wiki/index.php?title=Introduction_to_Cross-Domain_Ajax
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With