Is there a "safe" way to check if the same origin policy applies to an URL before actually trying to use ajax methods? Here is what I have:
function testSameOrigin(url) {
var loc = window.location,
a = document.createElement('a');
a.href = url;
return a.hostname == loc.hostname &&
a.port == loc.port &&
a.protocol == loc.protocol;
}
This sort of works, but it’s kind of a manual guess based on the wikipedia article. Is there a better way of pre-checking cross domain allowance? jQuery is OK to use.
Another way to execute cross domain script is using JSON-P. You can also read this article. Otherwise, the cross domain scripting is not allowed by the same origin policy.
Interesting question! I searched around and couldn't find anything other than what you posted, but I did come across this when I was messing around with some test code. If you just want a simple way to test a URL without making a request, I'd do it the way you're doing it. If you don't care about making a request to test, you could try this:
Make a simple ajax request to whatever URL you want:
which returns a
jqXHR
object, which you can then check:Now, the only problem with this is that
isRejected()
will evaluate totrue
for every single case where the page doesn't load (i.e. 404 Not Found, etc.), but you can check the status code with:It looks like the above line will return
0
when you attempt to break the same origin policy, but it will return the appropriate error code (again, i.e. 404) in other cases.So to wrap up, maybe you could try doing something like:
Not a definitive answer by any means, but I hope it helps you figure out what you're looking for!
Building off of Dagg Nabbit's answer, this seems a little more complete:
Caveats I can think of:
file://
protocol paths (someone please verify this, the info about android might be outdated https://security.stackexchange.com/questions/25138/same-origin-policy-for-file-urls-in-android-browser)This is a safe and reliable way of doing it, provided you are doing (or rather not doing) certain things.
This should fully work under the "normal" circumstances. It will need to be modified if you are planning to use cross-domain scripting.
If you modify
document.domain
in your scripts, for example from "foo.example.com" and "bar.example.com" to "example.com" yourtestSameOrigin
function would returnfalse
for "http://example.com", where in fact it should returntrue
.If you are planning on modifying
document.domain
, you can add simply add a check for that in your script.If you are planning on using CORS (see the link above) to allow cross-domain communication, it will also return a false negative. But if you are using CORS, you will have a list of domains that you can communicate with, and you can add that list to this function as well.
Probably not, although it may be worth mentioning that what you are seeing in the console from Steve's answer might be the "observer's dilemma" ... Those errors look like they are resulting from the console trying to inspect the other window, not necessarily from the script.
Assuming you're not messing with
document.domain
or using CORS, your original solution is probably better, as it doesn't need to make an extra request to determine whether the server is available or not. Even if you are doing some cross-domain scripting, modifying the function you have now to accommodate it is probably your best bet.Try this solution as well.