Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

XMLHttpRequest cross site scripting on same server but different port

using XMLHttpRequest it is not possible to open a connection to a document on a different domain than where the page itself is hosted.

but what about different ports?

for example I have a webserver running on my machine listening on port 80 so the webaddress would look like this:

http://localhost:80/mypage.html

and I have another webserver running on localhost which is meant to process the ajax requests but listens on a different port. so the javascript in mypage.html would look like this:

var xmlhttprequest = new XMLHttpRequest(); 
xmlhttp.open("GET", "http://localhost:1234/?parameters", true); 
xmlhttp.send();

would this work? or will it give a security exception as well?

like image 698
clamp Avatar asked Jan 12 '11 13:01

clamp


People also ask

Are different ports considered cross domain?

Websites that have the combination of the same scheme, hostname, and port are considered "same-origin". Everything else is considered "cross-origin".

Why is it called XMLHttpRequest?

Long. The best explanation comes from the MS engineer who invented XHR: This was the good-old-days when critical features were crammed in just days before a release…


2 Answers

Using a different port does indeed count as cross-site scripting.

There are several well-known ways to make a call (you can always send the data) and use the response (which is what you cannot normally do under anti-xss constraints), including JSONP and using an iframe in the page to load the data.

like image 173
justkt Avatar answered Nov 15 '22 09:11

justkt


This wouldn't go as it is still practically on another server (at least another server instance, which may not be under your control).

You could add a Access-Control-Allow-Origin: http://yourdomain:1234/ in headers, google for Cross-Origin Resource Sharing. It's relativelly new though, not all browsers know about this. Or you can use jQuery (read more on http://softwareas.com/cross-domain-communication-with-iframes).

like image 30
Zlatko Avatar answered Nov 15 '22 09:11

Zlatko