none
Why cross domain is not allowed and if it's possible to circumvent it?

    Question

  • Hello,

    I was trying to use Bing Maps Locations API from my GWT-application, but the call did not go through since cross domain messages are not allowed. I was previously using Google Maps Geocoding API which had no problems with cross domain messages, but due to licensing agreements we're now using Bing Maps.

    I wonder if it would be possible to make Bing Maps Locations API behave similarly as Google Maps Geocoding API?

    I would not like to circumvent this by routing messages with server if there was an alternative.

    Response headers from Google Maps Geocoding API:

    1. Access-Control-Allow-Origin:
      *
    2. Cache-Control:
      no-cache, must-revalidate
    3. Content-Encoding:
      gzip
    4. Content-Length:
      413
    5. Content-Type:
      text/javascript; charset=UTF-8
    6. Date:
      Thu, 24 Oct 2013 12:09:11 GMT
    7. Expires:
      Fri, 01 Jan 1990 00:00:00 GMT
    8. Pragma:
      no-cache
    9. Server:
      mafe
    10. X-Frame-Options:
      SAMEORIGIN
    11. X-XSS-Protection:
      1; mode=block

    Bing Maps Locations API response header:

    1. Allow:
      OPTIONS, TRACE, GET, HEAD, POST
    2. Content-Length:
      0
    3. Date:
      Thu, 24 Oct 2013 12:09:11 GMT
    4. Public:
      OPTIONS, TRACE, GET, HEAD, POST
    5. Server:
      Microsoft-IIS/8.0
    6. X-BM-TraceID:
      478cd693b3cf411bba68744991afcfc6
    7. X-Powered-By:
      ASP.NET

    Thursday, October 24, 2013 12:32 PM

Answers

All replies

  • How are you making this call? Note that if you are getting a cross domain with Bing Maps services you will get the same with Google Maps services using similar code unless your app is sitting on the google.com domain which I doubt.

    Cross domain issues occur when you try to call a web service that is hosted on a different service. There are lots of ways to get around this. If using JavaScript you would use JSONP. You shouldn't get cross domain issues on server side code.


    http://rbrundritt.wordpress.com

    Thursday, October 24, 2013 4:29 PM
    Owner
  • Nope, as you can see Google Maps Geocoding API allows cross-domain-requests. I have been successfully using it from client side. This is the key in the response header:

    Access-Control-Allow-Origin:
     
    *

    I'm making the calls from web-app client created with GWT so javascript based solution is possible. But still, is there any reason not to allow cross-domain-requests on the Bing Maps Rest services?

    Friday, October 25, 2013 5:21 AM
  • Okay, I fooled around with JSONP and what I learned is that for it to work you need the service notice callback=? parameter and wrap the response to it. For example:

    http://ws.geonames.org/postalCodeLookupJSON?postalcode=M1&country=GB&maxRows=4&callback=testcallback 

    This has response:

    testcallback({"postalcodes":[{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AD","adminCode1":"ENG","countryCode":"GB","lng":-2.2452158876675825,"placeName":"City Centre Ward","lat":53.48384413375431,"adminName1":"England"},{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AE","adminCode1":"ENG","countryCode":"GB","lng":-2.231169180066029,"placeName":"Ancoats and Clayton Ward","lat":53.48347666626938,"adminName1":"England"},{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AF","adminCode1":"ENG","countryCode":"GB","lng":-2.2371503855157546,"placeName":"City Centre Ward","lat":53.48054368697967,"adminName1":"England"},{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AG","adminCode1":"ENG","countryCode":"GB","lng":-2.2314544161354966,"placeName":"Ancoats and Clayton Ward","lat":53.4832783676659,"adminName1":"England"}]});

    This is not supported by Bing Maps Rest services...

    http://dev.virtualearth.net/REST/v1/Locations/EU/Aittolankatu%203,94600,KEMI?o=json&key=...&callback=testcallback(key omitted)

    The callback parameter does nothing in this case.

    Friday, October 25, 2013 6:22 AM
  • Ok, cross domain issue have nothing to do with Bing/Google or any other public service. This is handled at the browser level and independent of the services. Instead of using &callback=? use &jsonp=?

    Here is a blog post on how to do this: http://www.earthware.co.uk/blog/index.php/2010/10/using-jquery-with-the-bing-maps-rest-api/


    http://rbrundritt.wordpress.com

    Friday, October 25, 2013 2:33 PM
    Owner
  • Thanks, I got it working with JSONP.

    I know cross domain blocking is handled at browser level, but it can be disabled from the service host by adding Access-Control-Allow-Origin: * header. I tested this last week on a service I have control over and it allowed cross domain messages after adding that.

    Wednesday, October 30, 2013 6:37 AM