I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I've read through Ways to circumvent the same-origin policy, but it seems the methods described there aren't appropriate for me:

1. The document.domain method - only works on subdomains.
2. The Cross-Origin Resource Sharing method - requires server cooperation.
3. The window.postMessage method - seems to require opening a popup window?
4. The Reverse Proxy method - A possible solution, but seems a bit too hard to setup.
5. - seems to not support SSL.

Is this it? Must I implement solution 4, which seems rather complicated, or am I missing something?

I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I've read through Ways to circumvent the same-origin policy, but it seems the methods described there aren't appropriate for me:

1. The document.domain method - only works on subdomains.
2. The Cross-Origin Resource Sharing method - requires server cooperation.
3. The window.postMessage method - seems to require opening a popup window?
4. The Reverse Proxy method - A possible solution, but seems a bit too hard to setup.
5. http://anyorigin.com - seems to not support SSL.

Is this it? Must I implement solution 4, which seems rather complicated, or am I missing something?

• javascript
• same-origin-policy

• 4 Can't you CURL the result from the other site with a regular PHP page on your own domain and then grab the JSON from that PHP page? – Peter Ajtai Commented Oct 6, 2011 at 21:41
• Wouldn't JSONP work here? – jwueller Commented Oct 6, 2011 at 21:42
• I'm pretty sure anyorigin.com supports SSL. Try fetching https://test.kems.net/, for example - it works just fine. – David Titarenco Commented Oct 7, 2011 at 1:36
• I am not a JSON expert, but I think you should give some more information about the "3rd party JSON API that is exposed on an https:// site.". How flexible is it? – curiousguy Commented Oct 7, 2011 at 5:06
• @curiosguy - this is the API. Not very flexible. mtgox.com/api/0/data/ticker.php – ripper234 Commented Oct 7, 2011 at 6:35

3 Answers 3

Sorry, it seems that anyorigin.com does support https.

The reason I naively thought it doesn't, is because the API in question returns JSON, and I thought I would actually just get a plain text response (as in my tests with using anyorigin.com on google.com). When it returned just an object, I figured something was broken.

It appears the object simply returns the parsed JSON, so I'm good to go!

Update - anyorigin.com stopped working with some https sites a few weeks after I posted this, so I went ahead and wrote whateverorigin.org, an open source alternative to anyorigin.

You can use Ajax-cross-origin a jQuery plugin. With this plugin you use jQuery.ajax() cross domain.

It is very simple to use:

    $.ajax({
        crossOrigin: true,
        url: url,
        success: function(data) {
            console.log(data);
        }
    });

You can read more here: http://www.ajax-cross-origin.com/

JSONP should be on your list, and higher up. Pretty much the standard. It requires server cooperation, but most any API should know what they're doing and support it.

here is a real basic writeup of how it works