Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why are AJAX requests limited to same domain?

Something I find really confusing, is why are AJAX requests limited to the same domain? What is the reasoning behind this?

I don't see any problem with requesting files from external locations, also servers making XMLHTTP requests seem to get and post to external locations fine.

like image 616
Tom Gullen Avatar asked Jul 01 '10 09:07

Tom Gullen


People also ask

Can I send AJAX request to another domain?

Cross-origin resource sharing (or CORS) can be used to make AJAX requests to another domain.

Why is it important that AJAX is asynchronous?

AJAX supports data exchange with a web server behind the scenes and allows webpages to update asynchronously. This makes it possible to update parts of a particular webpage and display the results to a user quickly, without having to wait to reload the entire page.

How do AJAX requests work?

How AJAX Calls Work. AJAX uses both a browser built-in XMLHttpRequest object to get data from the web server and JavaScript and HTML DOM to display that content to the user. Despite the name “AJAX” these calls can also transport data as plain text or JSON instead of XML.

How many AJAX requests are there?

It is worth noting that browsers can generally only handle 6 ajax requests at a time, this may catch you out.


3 Answers

Picture this :

You come on my fabulous website www.halfnakedgirls.com. You have fun watching what looks like technical documentation on human physiology, but behind your back, some lines of JavaScript are executing some request to another domain, let's say www.yourpaypallike.com.

Requests like http://www.yourpaypallike.com/account/[email protected]&amount=984654 or http://www.mymailprovider.com/mails/export?format=csv.

Do you now see why it is forbidden ? =)

like image 179
Clement Herreman Avatar answered Oct 25 '22 12:10

Clement Herreman


Tom, it is not "Ajax request limited". AJAX is based on JavaScript. For security reason JavaScript is prohibited access on cross domains. If you really want to do cross domain Ajax, you can do a hack.

YourPage(Ajax) ----> YourServer ----> ExternalDomain

You can call a page in your server using Ajax, Your domain will call to external domain using server side , and get the result then return to you as Ajax response. Of course the request done to the ExternalDomain server will be called WITHOUT sending cookies for ExternalDomain that reside in your browser's memory. That's because the request is done by your server and not your browser.

like image 34
BlueBird Avatar answered Oct 25 '22 12:10

BlueBird


It's for security purposes - if a website could execute AJAX calls to any domain they wanted on the client side, it poses a serious risk.

There are ways around this though - you could have your AJAX call a PHP script on the same domain, which in turn can call a script from another domain and return it. This wouldn't be using the browser as the communication medium though, it'd be using your web server.

like image 32
xil3 Avatar answered Oct 25 '22 10:10

xil3