I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I’ve read through Ways to circumvent the same-origin policy, but it seems the methods described there aren’t appropriate for me:
- The document.domain method – only works on subdomains.
- The Cross-Origin Resource Sharing method – requires server cooperation.
- The window.postMessage method – seems to require opening a popup window?
- The Reverse Proxy method – A possible solution, but seems a bit too hard to setup.
- http://anyorigin.com – seems to not support SSL.
Is this it? Must I implement solution 4, which seems rather complicated, or am I missing something?
Sorry, it seems that anyorigin.com does support https.
The reason I naively thought it doesn’t, is because the API in question returns JSON, and I thought I would actually just get a plain text response (as in my tests with using anyorigin.com on google.com). When it returned just an
object, I figured something was broken.It appears the object simply returns the parsed JSON, so I’m good to go!
Update – anyorigin.com stopped working with some https sites a few weeks after I posted this, so I went ahead and wrote whateverorigin.org, an open source alternative to anyorigin.