locked
CRM 2011 Cross site scripting RRS feed

  • Question

  • I've got external WCF webservice hosted on diffrent site need to call taht WCF serivce from JS (Json) (silverlight is not an option )it has to be a (post call) but I hit a problem of cross site scripting I've tried to play wit Application Request Routing  on iis but can't really make it working , has anyone done that ?

     

    Thursday, April 21, 2011 4:10 PM

Answers

All replies

  • By default, cross frame scripting is disabled for an Iframe.  If you go to the form customization screen and double click on your iframe and look at it's properties you might need to un-check the restrict cross frame scripting checkbox.


    Jamie Miley
    http://mileyja.blogspot.com
    Linked-In Profile
    Follow Me on Twitter!
    Thursday, April 21, 2011 4:27 PM
    Moderator
  • Hmmm thank for your reply but did I mention any IFRAME ???? in my post ??? I'm talking about  external call to WCF service (post method)

    Regards

    SW

     


    Friday, April 22, 2011 10:51 AM
  • We are doing a simmilar thing, actually making a get request to a sharepoint service, the only way to get this working is to play with the browser settings.

    If you find a way without having to change IE settings, I am all ears...


    UPDATE: The settings changed were

    - Security Settings -> Miscellaneous -> Access data sources accross domains -> Enable

    - Security Settings -> Scripting -> Enable XSS filter -> Disable

    • Proposed as answer by Nar_mscrm Friday, April 22, 2011 1:07 PM
    • Edited by Can Bilgin Friday, April 22, 2011 1:50 PM Additional Info
    Friday, April 22, 2011 12:36 PM
  • Can Bilgin, Do you know which browser settings helped you?  Sebastian may find that helpful.  Iframe was the most common scenario where cross-frame scripting is involved, sorry.


    Jamie Miley
    http://mileyja.blogspot.com
    Linked-In Profile
    Follow Me on Twitter!
    Friday, April 22, 2011 1:11 PM
    Moderator
  • Hi Jamie, I added the settings in the previous post now, but I do not think this is actually a solution in most cases...
    Friday, April 22, 2011 1:51 PM
  • I WOULD NOT recommend changing those browser settings as it will open major security holes. I would recommend using JSONP http://jasonkelly.net/2009/05/using-jquery-jsonp-for-cross-domain-ajax-with-wcf-services/, CORS (XDomainRequest in IE) http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/c412e600-0f4e-4a5b-8c45-bf77ed04f2a8/, or registering a WCF endpoint in CRM using the plugin registration tool and having that endpoint just do a server-to-server request to get the data. 

     

    Friday, April 22, 2011 3:14 PM
  • XDomainRequest  is only IE8 and above CRM2011 is IE7 and up , so CORS is my last resort , plugin is another option but because need to return data from service is undesirable, Application Request Routing  should help but I'm looking for someone sho did that sucessfuly

    SW

    Friday, April 22, 2011 5:44 PM
  • It has really helped me :-D

    Thanks a lot for this simple but effective solution!
    (I'm not a programmer so abbreviations like JSON, JSONP, XML, XMLHttpRequest or so were becoming my nightmare).

    Vlasta
    Wednesday, May 25, 2011 11:06 AM
  • How would I "register a WCF endpoint in CRM using the plugin registration tool and having that endpoint just do a server-to-server request to get the data. " ?

    mv

    Wednesday, December 12, 2012 9:21 PM