Cross-Origin Resources Sharing

What is the problem?

Accessing resources offered on a different domain than the Javascript client which wants to access the data is restricted by the Same Origin Policy. This is a good idea in principle as it protects you from bad sites hacking your bank account or other relevant data.

Accessing data from public APIs can be done either by JSONP requests (padding JSON, embedded JSON used by a callback method) or making [[ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing][CORS]] requests. Another possibility is to make requests via a proxy but this requires the client does have a server backend available. This is not the case in Android Apps for example. Anyway, it requires addition configuration of the backend.

CORS requests

CORS is a W3C specification and is broadly implemented by all new browsers types. Creating CORS requests on client side mostly means to add an Origin URL as HTTP Header. If the remote server was configured to allow the client's Origin accessing the server's resources it returns an OK, otherwise the same-origin-policy applies.

HowTo Client

We won't repeat HowTos which have already been written. HTML5Rocks supply is a good one explaining how to make CORS requests from JavaScript.

HowTo Server

Apache Tomcat since version 7+ provides a CORS filter which can easily configured in a web application's web.xml. See Tomcat's filter documentation for a detailed description.

There are plenty of other servers which can be configured to handle CORS.