Logo Help Center

Elvis 4 API - cross origin

Elvis 4 API - cross origin

Web browsers block AJAX calls to an Elvis server if the webpage that is making the call is not on the same domain. For example, if your server is running on http://elvis.yourdomain.com and you want to perform a cross domain REST search from a webpage hosted on http://www.yourdomain.com, the web browser will not perform the request.

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin.

Cross-domain solutions

There are several techniques you can use to work around the same-origin restrictions imposed by web browsers. The following techniques are supported by the Elvis server.

CORS (Cross-Origin Resource Sharing)

CORS is a technology available in modern web browsers. It depends on special headers and behavior provided by the web server that receives the API calls.

The Elvis server supports this kind of behavior and will send the appropriate headers and responses to browsers. When needed, it will respond with an Access-Control-Allow-Origin header. You can restrict the domains from which calls can be made to the server by setting accessControlAllowOrigin=my.domain.com in your server config. The default, accessControlAllowOrigin=* will allow access from any domain.

To enable cross-domain requests using jQuery, pass the following to the AJAX call:

   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true

For more information on CORS:


CORS only works in recent browser versions. So if your application has to work in older browsers too, JSONP is a good alternative.

JSONP works by dynamically inserting <script> elements for each request made to the server. The server wraps the data in a function that is executed when that data is loaded by the web browser. That function can then pass control to your code so you can use the received JSON data.

Libraries like jQuery have built-in support for JSONP. Just set dataType='jsonp' in your jQuery.ajax call.

   url: a_cross_domain_url,
   dataType: 'jsonp'

jQuery then adds an extra ?callback=... to the end of your URL to specify the callback. This matches the standard callback parameter name supported by Elvis: callback=<function name>.

If required, you can use a different parameter name instead of the default, set jsonpCallbackParam=... in your server config.

For more information on JSONP:

Web Proxy

A web proxy is the most simple way to deal with cross-domain issues. It is far from ideal due to possible performance issues, but it always works.

For more information on web proxies:


In some scenarios, cross-domain calls make it difficult to keep authentication across requests. For example, session cookies received through a cross-domain request will be ignored by the web browser. Elvis supports several methods to make your life easier in these cases.

The ElvisAPI class in our open-source javascript library automatically handles cross-domain calls and appends ;jsessionid= to thumbnail, preview and original URL's to make them work correctly.

URL Request secrets will allow images to be requested, even if the browser has no authenticated session with the server.

Adobe Flash crossdomain.xml

Cross-domain requests from a Flash SWF to an Elvis server on a different domain require a crossdomain.xml file to be placed at the root level of the server.

Since all content on the domain is usually served by Elvis (unless you use a proxy), we have made it easy to configure this file. Just go to the Config folder of the server, rename the sample -crossdomain.xml file provided there to crossdomain.xml.

You can change the settings in the crossdomain.xml file to your own needs.

For more information:

Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request


Please sign in to leave a comment.