We have developed an application utilizing the Authorize.NET API implemented in JavaScript. We have just finished testing (using the dev URL, https://apitest.authorize.net/xml/v1/request.api) and all went well. However once we started testing using the production API, we started getting cross-domain scripting errors. We noticed that the headers on the dev API URL contain “Access-Control-Allow-Origin:*”. However, the production API URL (https://api.authorize.net/xml/v1/request.api) is missing this header which makes cross domain communication via JavaScript impossible. Has anyone else ran into this?
These hearders are bleow. Notice the the missing headers in the second example.
Thank you in advance for any advice.
Response Headers for https://apitest.authorize.net/xml/v1/request.api
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Headers: x-requested-with,cache-control,content-type,origin,method
Date: Fri, 14 Nov 2014 14:52:22 GMT
Content-Length: 365
Age: 1
Via: HTTPS/1.1 localhost.localdomain
Response Headers for https://api.authorize.net/xml/v1/request.api
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 14 Nov 2014 14:53:13 GMT
Content-Length: 365
Age: 0
Via: HTTPS/1.1 localhost.localdomain
11-14-2014 07:41 AM
Off topic question.
How are you hiding your transactionKey, LoginID? or stop it from reaching the broswer?
11-14-2014 07:59 AM
We were under the impression that the keys were specific to referrrals from the host, similar to a Google API Key. We are working to make this a server side implementation now. Thanks for the feedback.
11-14-2014 08:52 AM