XMLHttpRequest - Access Denied
devbobo
Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
I am trying to write an XML-RPC interface for blogger.com but when I try to execute the script from my smugmug page, i get access denied.
Is there anyway that this can be overcome ?
Cheers,
David
Is there anyway that this can be overcome ?
Cheers,
David
0
Comments
Not easily; it requires a non-smugmug server you control or additional help from either smugmug or blogger. Web browsers enforce the "same origin" rule for XMLHttpRequest, meaning that the request can only go out to the server from which the page was loaded (yourname.smugmug.com in this case).
The common workarounds for this include having the server hosting the page (i.e., smugmug in this case) proxy the request to blogger.com or having blogger.com support a javascript-based protocol (e.g., JSON -- although this also has some significant security implications). The other option is to have your own server (i.e., not smugmug and not blogger.com) host a "mashup" page that proxies requests from the javascript to each of smugmug and blogger.com.
[Edited to add:]There is an option that bridges the UI gap between in page XHR and popping up a new window: dynamic iframes. Inside the smugmug page have a link to "blog this in page". In the JS on smugmug determine all the information that's going to be needed (e.g., the photo URL), and then dynamically add a new iframe to the smugmug page in the location you want the blogging UI to appear. Set the src of the iframe element to a page that accepts the image URL and other information as query arguments (this server needs to be somewhere you can host server-side code), then have that page contain all the UI for blogging that you want. Have the JS inside your iframe proxy your XHR requests to blogger.com through the server it was served from. This doesn't get you out of the need for (yet) another server, but does get you the ability to embed the blogging UI inside the smugmug page. I don't think the iframe will be able to close/delete itself, so you'd need to have a close window link outside the iframe in the smugmug page (because a similar "same origin" rule is also enforced between windows/frames/iframes so your content inside the iframe that came from outside smugmug.com cannot touch the DOM of the content outside the iframe that was served from smugmug.com). Hopefully this last part isn't too confusing.
HTH,
Scott
good for security...bad if you dont know about it. I banged my head against that wall for so long....