Why cross domain is not allowed and if it's possible to circumvent it?


  • Hello,

    I was trying to use Bing Maps Locations API from my GWT-application, but the call did not go through since cross domain messages are not allowed. I was previously using Google Maps Geocoding API which had no problems with cross domain messages, but due to licensing agreements we're now using Bing Maps.

    I wonder if it would be possible to make Bing Maps Locations API behave similarly as Google Maps Geocoding API?

    I would not like to circumvent this by routing messages with server if there was an alternative.

    Response headers from Google Maps Geocoding API:

    1. Access-Control-Allow-Origin:
    2. Cache-Control:
      no-cache, must-revalidate
    3. Content-Encoding:
    4. Content-Length:
    5. Content-Type:
      text/javascript; charset=UTF-8
    6. Date:
      Thu, 24 Oct 2013 12:09:11 GMT
    7. Expires:
      Fri, 01 Jan 1990 00:00:00 GMT
    8. Pragma:
    9. Server:
    10. X-Frame-Options:
    11. X-XSS-Protection:
      1; mode=block

    Bing Maps Locations API response header:

    1. Allow:
    2. Content-Length:
    3. Date:
      Thu, 24 Oct 2013 12:09:11 GMT
    4. Public:
    5. Server:
    6. X-BM-TraceID:
    7. X-Powered-By:

    Thursday, October 24, 2013 12:32 PM


All replies

  • How are you making this call? Note that if you are getting a cross domain with Bing Maps services you will get the same with Google Maps services using similar code unless your app is sitting on the domain which I doubt.

    Cross domain issues occur when you try to call a web service that is hosted on a different service. There are lots of ways to get around this. If using JavaScript you would use JSONP. You shouldn't get cross domain issues on server side code.

    Thursday, October 24, 2013 4:29 PM
  • Nope, as you can see Google Maps Geocoding API allows cross-domain-requests. I have been successfully using it from client side. This is the key in the response header:


    I'm making the calls from web-app client created with GWT so javascript based solution is possible. But still, is there any reason not to allow cross-domain-requests on the Bing Maps Rest services?

    Friday, October 25, 2013 5:21 AM
  • Okay, I fooled around with JSONP and what I learned is that for it to work you need the service notice callback=? parameter and wrap the response to it. For example: 

    This has response:

    testcallback({"postalcodes":[{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AD","adminCode1":"ENG","countryCode":"GB","lng":-2.2452158876675825,"placeName":"City Centre Ward","lat":53.48384413375431,"adminName1":"England"},{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AE","adminCode1":"ENG","countryCode":"GB","lng":-2.231169180066029,"placeName":"Ancoats and Clayton Ward","lat":53.48347666626938,"adminName1":"England"},{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AF","adminCode1":"ENG","countryCode":"GB","lng":-2.2371503855157546,"placeName":"City Centre Ward","lat":53.48054368697967,"adminName1":"England"},{"adminCode3":"E08000003","adminName3":"Manchester District (B)","adminCode2":"","postalcode":"M1 1AG","adminCode1":"ENG","countryCode":"GB","lng":-2.2314544161354966,"placeName":"Ancoats and Clayton Ward","lat":53.4832783676659,"adminName1":"England"}]});

    This is not supported by Bing Maps Rest services...,94600,KEMI?o=json&key=...&callback=testcallback(key omitted)

    The callback parameter does nothing in this case.

    Friday, October 25, 2013 6:22 AM
  • Ok, cross domain issue have nothing to do with Bing/Google or any other public service. This is handled at the browser level and independent of the services. Instead of using &callback=? use &jsonp=?

    Here is a blog post on how to do this:

    Friday, October 25, 2013 2:33 PM
  • Thanks, I got it working with JSONP.

    I know cross domain blocking is handled at browser level, but it can be disabled from the service host by adding Access-Control-Allow-Origin: * header. I tested this last week on a service I have control over and it allowed cross domain messages after adding that.

    Wednesday, October 30, 2013 6:37 AM