+ Start a Discussion
Veeru AVeeru A 

Access-Control-Allow-Origin versus GETJSON vs ?callback=?

I have an APEX Public REST service running. When I try to access with jQuery Javascript I get a lot of mixed results. 

If I include the header Access-Control-Allow-Origin for the calling site in my APEX, then the call works OK.

If I do NOT include Access-Control-Allow-Origin in the APEX Class then I will get a Javascript Access-Control-Allow-Origin Error. 

If I do NOT include Access-Control-Allow-Origin and pass the URL in GETJSON with ?callback=? I get a 200 code but GETJSON send a parsererror

Question is...is there any way to allow GETJSON or Javascript in general to use this public REST endpoint WITHOUT specifying the site in Access-Control-Allow-Origin Header?
Unfortunately, you have to provide that header now to access this resource.  More and more browsers and servers are starting to strictly enforce CORS and you will run into trouble.  Adding this header does not add any overhead to your calls.

More reading: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS