JSONP request working cross-domain, but can't figure out origin

Question

JSONP request working cross-domain, but can't figure out origin

I'm trying out a JSONP call. I have a NodeJs app in server 1, under domain domain1.com looking like this:

server.get('/api/testjsonp', function(req, res) {

  var clientId = req.param('clientId');

  res.header('Content-Type', 'application/json');
  res.header('Charset', 'utf-8') 
  res.send(req.query.callback + '({"something": "rather", "more": "fun",
          "sourceDomain": "' + req.headers.origin + '"' + ',"clientId":"' + clientId + 
          '"});');  

});

In another server (server 2) and under a different domain (domain2.com), I have created a test html page with a call like this:

    var data = { clientId : 1234567890 };

            $.ajax({
                    dataType: 'jsonp',
                    data: data,
                    jsonp: 'callback',
                    url: 'https://domain1.com/api/testjsonp?callback=1',                        
                    success: function(data) {
                        alert('success');
                    },
        error: function(err){
                        alert('ERROR');
                        console.log(err);
                    }
                });

I have 2 problems here:

1) Why is this working? Isn't it a cross-domain call and therefore I'd need to implement the ALLOW-ORIGIN headers stuff? I'm following this example:

http://css.dzone.com/articles/ajax-requests-other-domains

http://benbuckman.net/tech/12/04/cracking-cross-domainallow-origin-nut

2) In the server, I can't figure out which domain is making the call, req.headers.origin is always undefined. I'd like to be able to know which domain is calling, to prevent unwanted calls. Alternative I could check for the calling IP, any idea how?

Many thanks

node.js
express
cross-domain
jsonp
cors

Answer 1

Why is this working? Isn't it a cross-domain call and therefore I'd need to implement the ALLOW-ORIGIN headers stuff? I

Are far as the browser is concerned, you aren't directly reading data from a different origin. You are loading a JavaScript program from another origin (and it happens to have some data bundled in it).

In the server, I can't figure out which domain is making the call, req.headers.origin is always undefined. I'd like to be able to know which domain is calling, to prevent unwanted calls.

The URL of the referring page is stored in the Referer header, not the Origin header. It is, however, optional and won't be sent under many circumstances.

If you want to limit access to the data to certain sites, then you can't use JSON-P. Use plain JSON and CORS instead.

Alternative I could check for the calling IP, any idea how?

That would give you the address of the client, not the server that directed the client to you.