We have an ASP.Net application hosted on our network and exposed to a specific client. This client wants to be able to import data from their own server into our application. The data is retrieved with an HTTP request and is CSV formatted. The problem is that they do not want to expose their server to our network and are requesting the import to be done on the client side (all clients are from the same network as their server).
So, what needs to be done is:
- They request an import page from our server
- The client script on the page issues a request to their server to get CSV formatted data
- The data is sent back to our application
This is not a challenge when both servers are on the same domain: a simple hidden iframe or something similar will do the trick, but here what I'm getting is a cross-domain "access denied" error. They also refuse to change the data format to return JSON or XML formatted data.
What I tried and learned so far is:
- Hidden iframe -- "access denied"
- XMLHttpRequest -- behaviour depends on the browser security settings: may work, may work while nagging a user with security warnings, or may not work at all
- Dynamic script tags -- would have worked if they could have returned data in JSON format
- IE client data binding -- the same "access denied" error
Is there anything else I can try before giving up and saying that it will not be possible without exposing their server to our application, changing their data format or changing their browser security settings? (DNS trick is not an option, by the way).
It might be too late for your client, but since you have have control over both domains, you can try EasyXDM. It's a library which wraps cross-browser quirks and provides an easy-to-use API for communicating in client script between different domains using the best available mechanism for that browser (e.g. postMessage if available, other mechanisms if not).
Caveat: you need to have control over both domains in order to make it work (where "control" means you can place static files on both of them). But you don't need any server-side code changes.
JSONP might be the answer for you if they can server data in a JSON format. Other than that you will always run into Same Origin Policy issues with cross-domain calls. Have you looked into doing Server-side calls to do HTTP requests to their server?
Your client is JavaScript served by your application, right?
Your client can then only send requests to your applciation (cross-site scripting prevention), that the error you are seeing?
Assuming yes, then a solution is to have your application offer a "proxy" service. You browser code can ask your server for some data. Your server is free to issue an Http request to any server it likes (no browser to object). So you implement a little service to go get that cvs data and present it to your application.
You might even choose to map that CSV data to JSON if it's your client that's consuming it.
Can't you host just the JS file on their server? This should allow script in that file to make ajax calls back to their server.
You can try though the flash. If you will put this yourdomain.com/crossdomain.xml in you root you will be able to make cross domain requests from mysite.com.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.mysite.com" to-ports="25" />
</cross-domain-policy>
