Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

A question about cross-domain (subdomain) ajax request

Let's say I have the main page loaded from http://www.example.com/index.html. On that page there is js code that makes an ajax request to http://n1.example.com//echo?message=hello. When the response is received a div on the main page is updated with the response body.

Will that work on all popular browsers?

Edit:

The obvious solution is to put a proxy in front of www.example.com and n1.example.com and set it so that every request going to a subresource of http://www.example.com/n1 gets proxied to http://n1.example.com/.

like image 223
Vasil Avatar asked Mar 16 '09 00:03

Vasil


People also ask

Why is cross domain not allowed in Ajax?

Because of Same origin policy. The same-origin policy exists to prevent malicious use of resources. If there were no rules governing cross-domain script access, it would be trivial to wreak all manner of havoc on unsuspecting users.

Is a subdomain considered cross domain?

Sub-domains are considered different and will fail the Same Origin Policy unless both sub-domains declare the same document. domain DOM property (and even then, different browsers behave differently).

What is cross domain violation Ajax?

A common problem for developers is a browser to refuse access to a remote resource. Usually, this happens when you execute AJAX cross domain request using jQuery Ajax interface, Fetch API, or plain XMLHttpRequest. As result is that the AJAX request is not performed and data are not retrieved.

How do I make a cross domain request in Ajax?

For a successful cross-domain communication, we need to use dataType “jsonp” in jquery ajax call. JSONP or “JSON with padding” is a complement to the base JSON data format which provides a method to request data from a server in a different domain, something prohibited by typical web browsers.


2 Answers

Cross domain is entirely a different subject. But cross sub-domain is relatively easy. All you need to do is to set the document.domain to be same in both the parent page and the iframe page.

document.domain = "yourdomain.com" 

More info here

Note: this technique will only let you interact with iframes from parents of your domain. It does not alter the Origin sent by XMLHttpRequest.

like image 76
shazmoh Avatar answered Sep 28 '22 02:09

shazmoh


All modern browsers support CORS and henceforth we should leverage this addition.

It works on simple handshaking technique were the 2 domains communicating trust each other by way of HTTP headers sent/received. This was long awaited as same origin policy was necessary to avoid XSS and other malicious attempts.

To initiate a cross-origin request, a browser sends the request with an Origin HTTP header. The value of this header is the site that served the page. For example, suppose a page on http://www.example-social-network.com attempts to access a user's data in online-personal-calendar.com. If the user's browser implements CORS, the following request header would be sent:

Origin: http://www.example-social-network.com

If online-personal-calendar.com allows the request, it sends an Access-Control-Allow-Origin header in its response. The value of the header indicates what origin sites are allowed. For example, a response to the previous request would contain the following:

Access-Control-Allow-Origin: http://www.example-social-network.com

If the server does not allow the cross-origin request, the browser will deliver an error to example-social-network.com page instead of the online-personal-calendar.com response.

To allow access to all pages, a server can send the following response header:

Access-Control-Allow-Origin: *

However, this might not be appropriate for situations in which security is a concern.

Very well explained here in below wiki page. http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

like image 31
Melwyn Furtado Avatar answered Sep 28 '22 01:09

Melwyn Furtado