I know there are several questions related to this-- but I couldn't find my answer with them. Plus I wanted a bit more clarification.
I am running a rails app locally which makes a jsonp call to a sinatra application which is being used as an API.
When I put this URL in my browser I end up getting the correct response, yet when I make this call through jQuery using $.getJSON I get a forbidden 403 Error. I understand that the $.getJSON is making a jsonp request based on the url having callback=? parameter.
I'm trying to figure out what is causing the 403 Error. Is there some default configuration on the api application that is refusing the request because the script is being requested from an included script tag?
Right now the api request return json data. I assume it's my responsibility to look at the callback parameter and construct a response that actually calls the callback...
so if url was http://myapi.com?callback=blah, then I should be returning something like:
blah({foo: 'bar'})
But I don't know exactly what the 403 is all about. If it's the api server that is returning, then what is it trying to protect against?
here is an example of what the jsonp call looks like:
$.getJSON( 'http://myapi.com?callback=?', {biz: 'buzz'})
I see posts about setting headers for cross origin concerns-- but not sure why this is needed for jsonp request.
You need to add jsonp support to your sinatra api application.
Here is one way of adding jsonp support to your sinatra app
Add rack-contrip gem to your Gemfile
gem 'rack-contrib'
Add following to your config.ru
require 'rack/contrib'
use Rack::JSONP
Restart your sinatra app and start testing jsop from javascript
Related
This question already has an answer here:
Google Maps - calling the API directly from javascript vs using the SDK
(1 answer)
Closed 12 days ago.
If my website origin is notexample.com, and If I load library from example.com/script.js, can this script make fetch request to example.com and not get CORS prevention error?
I attempted to make the request, but I was met with a CORS error. I am quite curious as to how Google went about implementing its API. With Google Maps, for example, you are unable to directly request an API endpoint or else you will receive a CORS error. However, if you use Google Maps client library that is loaded from Google servers/domain, you are able to make the request successfully. It's an interesting security measure that Google has taken, and it's something that I'd like to take some time to research further.
The origin of the script (https://example.com) is irrelevant, because cross-origin script embedding is always allowed:
Here are some examples of resources which may be embedded cross-origin:
JavaScript with <script src="…"></script>. [...]
What matters is the Web origin in which that script is loaded. If you load that script in the context of https://notexample.com and the script sends a (cross-origin) request to https://example.com, the Same-Origin Policy will kick in.
And unless https://example.com is configured for CORS to allow requests from https://notexample.com, things will not work as expected.
I'm coding an app in PHP and I've had issues starting a tag subscription when I don't use HTTPS, I've tested both ways and would prefer to use HTTP if possible.
Has anyone else run into this and know of a solution?
Their documentation doesn't show the need for https. When I use HTTP I get the error
Unable to reach callback URL "http://...
My issue wasn't https vs http. It was my function that curls the post data. I rebuilt it and it works now.
A note for future people trying to use the Realtime API it returns zero data about the Instagram post which I find odd, why note include a post id at the very least. All it currently does is ping your server with data about your subscription effected. Its also worth noting to see that data you have to use this command in PHP
$igdata = file_get_contents("php://input");
When I include this url as a <script> in my HTML document, Chrome does not call my callback function, whereas it works perfectly for other urls returned by soundcloud's resolve api.
After a long investigation using Chrome Dev Tools, I finally found out that the javascript returned by that call fires a SyntaxError (cf the screenshot below).
How can I get my callback function to be called as usual for that file?
DevTools actually pinpoint the issue:
There is an unallowed character (\u2028) in the response. SoundCloud messed up sanitizing that. This JSONP response is invalid in all browsers.
To work around it, you can simply fetch the JSON file directly. SoundCloud CORS setup seems to allow that.
(Also posted this on the eBay Dev Forums, but it has low volume and is very slow)
I'm trying to build my first call to eBay's API. I am using Postman Chrome App, but have also tried the Python Requests library, with the same problem in each.
No matter what I send, I just get back an HTTP 202 code with an empty body, instead of the XML response I am expecting. This happens with either the sandbox or the production endpoint. Doesn't matter if I use correct or incorrect credentials, or a valid or invalid API call name.
Screenshot of building the call in Postman:
Finally heard back from eBay Support.
The problem is the trailing slash on the endpoint. Any kind of trailing slash will cause a generic 202 response. Removing it fixed the problem.
if I get data from an external website in JSONP form, how do I access the http header response? I have heard this may be difficult but my experience is that everything is possible.
Nope.
This is completely impossible.
The whole point of JSONP is to bypass the same-origin policy by passing a result through executable Javascript code.
Other than JS code generated by the remote server, you cannot get any information.