Firefox addons allow you to do cross-domain communication.
Is there any way to expose this function so I can initiate cross-domain ajax from any page (given I have installed this addon)?
Edit: I know what is CORS, and CORS only make sense when you have control the server, but I don't. The point here is I control the browser, I bear the risk so I am asking if anyway to export the cross-domain function from addon stage to the userland.
CORS or Cross Origin Resource Sharing is blocked in modern browsers by default (in JavaScript APIs). Installing this add-on will allow you to unblock this feature. Please note that, when the add-on is added to your browser, it is in-active by default (toolbar icon is grey C letter).
In Firefox, the preference that disables CORS is content. cors. disable . Setting this to true disables CORS, so whenever that's the case, CORS requests will always fail with this error.
In the Firefox menu bar go to Tools > Add-ons. Click the settings cog dropdown menu and select Install Add-on From File... Select the downloaded focus-extension-firefix-x.x.x.xpi extension and select open.
As you have said, the same origin policy only serves to protect the client (yourself), usually from XSS attacks.
I'm not sure what you're trying to achieve with the addon, but you can certainly try doing the following on your own machine. By changing the settings on firefox, you can ignore the same origin policy.
If you're trying to develop a plugin that allows cross domain access (and thus potentially open up vulnerabilities in your client-base), you may need to employ some unorthodox tricks. I can think of a couple ways, but like CORS, you will need access to SOME server at least. You can essentially create a proxy that fetches the resources on your server instead. Ie, the users of your plugin hits http://yourwebsite.com/?url=http://someotherwebsite.com/resource.
I can think of no way to do a client-side only solution.
Cross domain communication aka CORS (Cross Origin Resource Share) is only possible if the server allows it, and the browser supports it.
Easy reading in this Wikipedia article
Heavy reading in this W3C document which is still a working draft.
I have used CORS now for a year in the C# Webserver. I noticed whenever I do not add the CORS headers on the server side, I run into the same origin policy
. Even when requesting to the same IP address but a different port.
If the server does not support CORS, you may find your cross domain requests to fail
EDIT:
I recently learned that the same domain policy can be worked around using Yahoo! Query Language (YQL). See the link for more information.
See this SO item for an example Cross Domain Post method ajax call using jquery with xml response
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With