XMLHttpRequest - Access Denied

devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
I am trying to write an XML-RPC interface for blogger.com but when I try to execute the script from my smugmug page, i get access denied.

Is there anyway that this can be overcome ?

Cheers,

David
David Parry
SmugMug API Developer
My Photos

Comments

  • geoeremitegeoeremite Registered Users Posts: 37 Big grins
    edited January 25, 2006
    devbobo wrote:
    I am trying to write an XML-RPC interface for blogger.com but when I try to execute the script from my smugmug page, i get access denied.

    Is there anyway that this can be overcome ?

    Not easily; it requires a non-smugmug server you control or additional help from either smugmug or blogger. Web browsers enforce the "same origin" rule for XMLHttpRequest, meaning that the request can only go out to the server from which the page was loaded (yourname.smugmug.com in this case).

    The common workarounds for this include having the server hosting the page (i.e., smugmug in this case) proxy the request to blogger.com or having blogger.com support a javascript-based protocol (e.g., JSON -- although this also has some significant security implications). The other option is to have your own server (i.e., not smugmug and not blogger.com) host a "mashup" page that proxies requests from the javascript to each of smugmug and blogger.com.

    [Edited to add:]There is an option that bridges the UI gap between in page XHR and popping up a new window: dynamic iframes. Inside the smugmug page have a link to "blog this in page". In the JS on smugmug determine all the information that's going to be needed (e.g., the photo URL), and then dynamically add a new iframe to the smugmug page in the location you want the blogging UI to appear. Set the src of the iframe element to a page that accepts the image URL and other information as query arguments (this server needs to be somewhere you can host server-side code), then have that page contain all the UI for blogging that you want. Have the JS inside your iframe proxy your XHR requests to blogger.com through the server it was served from. This doesn't get you out of the need for (yet) another server, but does get you the ability to embed the blogging UI inside the smugmug page. I don't think the iframe will be able to close/delete itself, so you'd need to have a close window link outside the iframe in the smugmug page (because a similar "same origin" rule is also enforced between windows/frames/iframes so your content inside the iframe that came from outside smugmug.com cannot touch the DOM of the content outside the iframe that was served from smugmug.com). Hopefully this last part isn't too confusing.

    HTH,
    Scott
  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited January 25, 2006
    geoeremite wrote:
    Web browsers enforce the "same origin" rule for XMLHttpRequest, meaning that the request can only go out to the server from which the page was loaded (yourname.smugmug.com in this case).

    good for security...bad if you dont know about it. I banged my head against that wall for so long....umph.gif
    Pedal faster
Sign In or Register to comment.