0

I have a login link on a non-secure page that triggers a JSON post using jQuery. The post goes to the same domain but using a secure URL. My understanding of JSON is that it does allow cross-domain actions like this, but maybe this is a limitation.

When I run the script I get the following javascript error:

XMLHttpRequest cannot load https://.... Origin http://.... is not allowed by Access-Control-Allow-Origin.

I'm using the following code, nothing too complicated:

// postURL is something like https://example...
// postData is data to be transmitted
$.getJSON( postURL, postData + "&json=1", function(data) {
    // no error checking yet, just proceed to resultURL
    if ( true ) { window.location = resultURL; }
});

I've verified that if I load my source page securely the post works perfectly, so the only problem is the https difference.

There are a half dozen or so similar questions to mine on SO but none have an answer that works in my situation. Maybe this is just a limitation that can't be worked around?

Improve this question
2
  • 3
    That's cross-origin. You're being caught by the same origin policy. For it to work, you'll have to either implement CORS, use a server-side proxy, use a protocol-relative url, or use another transport type such as jsonp. replace https:// with // to make it a protocol-relative request. Commented Aug 8, 2013 at 22:16
  • interesting, thanks I didn't even know CORS existed! Commented Aug 9, 2013 at 14:13

1 Answer 1

Reset to default
1

As mentioned in the comments, you are trying to make a Cross Origin (CORS) XMLHttpRequest. This is because URI Scheme is defined as part of the origin of a request. This is possible, but requires both the client and server to pass certain headers between each other to validate that the connection is allowed.

The error you're getting means that your server does not send the correct response headers for you to be able to make CORS XMLHttpRequests to it. For info on the headers you need see the W3C spec. For more practical information on support in most browsers see this article.

Using jQuery, if your server supports it, you can make a CORS request by using the ajax function directly instead of calling it using getJSON.

Another option is changing to using JSONP and script tag injection, although this will still give security errors in some browsers depending on settings.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.