0

I have two code snippets:

$.getJSON("https://noembed.com/embed", {"format": "json", "url": input.val()}, function (data) {
// work with data
});

The second one:

$.getJSON("https://www.youtube.com/oembed", {"format": "json", "url": input.val()}, function (data) {
// work with data
});

The first one will be successful, but the second one not. They were both sent from http://localhost:8080/myapp/page. Why does the same origin policy not permit both requests? (Actually it's question about browsers).

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
marknorkin
  • 3,904
  • 10
  • 46
  • 82
  • 1
    Cross Origin Resource Sharing – Jaromanda X Sep 21 '15 at 09:38
  • 1
    Some servers permit browsers to do cross origin requests, some do not. See [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS). – jfriend00 Sep 21 '15 at 09:41
  • @jfriend00 so the differrence is that youtube does not include Access-Control-Allow-Origin header ? – marknorkin Sep 21 '15 at 10:00
  • 1
    Yes. There can be multiple CORS headers involved, so either none of them are present or something required for this particular operation is missing from YouTube. But, the point is that the server decides if it wants to permit cross origin operations from browsers and thus your two servers are offering different capabilities in this regard. – jfriend00 Sep 21 '15 at 16:46
  • @jfriend00 Thanks for the reply! If you put this as the answer - i will gladly accept it. Also maybe you have an explanation why youtube does not allow such requests ? – marknorkin Sep 22 '15 at 06:17
  • This one is a bit baffling. I guess I'd like to see the actual network trace to see what exactly is being sent to youtube and exactly what CORS headers are present and perhaps learn more about why it is failing. This particular API appears to exist for cross-origin reasons so something else must be going on here. – jfriend00 Sep 22 '15 at 06:42

1 Answers1

1

Some servers permit browsers to do cross origin requests, some do not. See CORS.

There can be multiple CORS headers involved, so either none of them are present or something required for this particular operation is missing from YouTube. But, the point is that the server decides if it wants to permit cross origin operations from browsers and thus your two servers are offering different capabilities in this regard.

This particular youtube API is a bit suspect though because it exists purely for cross-origin reasons so there must be something else going on that is preventing it from working. To learn more, one would have to look at the network trace to see exactly what was being sent to youtube, what CORS headers were present and perhaps what exactly might be causing this. Could, for example, there be an http/https mismatch and that's why CORS is failing?

jfriend00
  • 683,504
  • 96
  • 985
  • 979