Same origin policy seemingly inconsistent using the jQuery AJAX API
I am trying to understand how the same origin policy (SOP) applies in different situations.
I have the following JavaScript code written in a local HTML file and working with Chrome on Windows:
$(document).ready(function () {
$.get("http://www.quandl.com/api/v1/datasets/FRED/GDP.json", function (r) {
window.alert(r.source_name);
});
});
It works by giving me data retrieved from another domain ( www.quandl.com
). However, if I change this to google.com
, the callback is not called:
$(document).ready(function () {
$.get("http://www.google.com", function (r) {
window.alert(r);
});
});
source to share
I believe the inconsistency here is because the first resource has a header Access-Control-Allow-Origin: *
, so it supports CORS and allows scripts from all domains to access data using AJAX and XMLHttpRequests .
Unlike google.com
not, so trying to access it from a different domain will give you the usual errors.
Adding this header to any page will cost the same origin policy. You can also do Access-Control-Allow-Origin: domain
to only allow requests from the domain domain
.
Check out this one for more information on CORS support.
source to share