Browser same origin policy is to disable the original document from a domain accessing other document from another domain (cross domain). This policy has been introduced to prevent certain kinds of cross scripting attacks such as hijacking the user to remote site, stealing the cookies and impersonating the victim, key stroke logging e.t.c. This policy is enforced in most modern browsers(IE enforced this from version 8).
There is exception to the policy and it allows dynamic loading of script documents from another domain. Using this exception we can call services from another domain that can return the JSONP format results. JSONP supports “On-Demand-JavaScript” which is ‘Ability to add new java script to the existing code dynamically by calling a service’. When a service claims that it can give the result in JSONP format means that it actually returns the java script which contains function invocation with the service results as parameter to that JavaScript function. e.g. If we call the following twitter search URL in the java script
http://search.twitter.com/search.json?callback=foo&q=twitter.
The call will return the java script method invocation foo(‘JSONData’) where ‘JSONData’ is the service results (Twitter search results in this case). We need to define a java script function named foo which takes a JSON format parameter and do the processing.
The other workarounds are
Flash Policy files(
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
) – The Cross domain needs to have a configuration file (cross-domain.xml) which mentions whether to allow the cross domain traffic or not. When cross domain hosts this file then we can make any type of call (Web service, Json, Html e.t.c) to the cross domain. There are many free third party Add-ons to support this. The popular one is “flxhr”
IE8 XdomainRequest -
http://msdn.microsoft.com/en-us/library/cc288060%28vs.85%29.aspx
JSONRequest ( http://www.json.org/JSONRequest.html ) - Server doesn’t need to support the JSONP format – This is in proposal not yet adopted or implemented by any browser or forum .
