tags:

views:

2214

answers:

6
+3  Q: 

Cross domain Ajax request from within js file.

Here's the problem:

1.) We have page here... www.blah.com/mypage.html

2.) That page requests a js file www.foo.com like this...

<script type="text/javascript" src="http://www.foo.com/jsfile.js" />

3.) "jsfile.js" uses Prototype to make an Ajax request back to www.foo.com.

4.) The ajax request calls www.foo.com/blah.html. The callback function gets the html response and throws it into a div.

This doesn't seem to work though, I guess it is XSS. Is that correct?

If so, how can I solve this problem? Is there any other way to get my html from www.foo.com to www.blah.com on the client without using an iframe?

+6  A: 

It is XSS and it is forbidden. You should really not do things that way.

If you really need to, make your AJAX code call the local code (PHP, ASP, whatever) on blah.com and make it behave like client and fetch whatever you need from foo.com and return that back to the client. If you use PHP, you can do this with fopen('www.foo.com/blah.html', 'r') and then reading the contents as if it was a regular file.

Of course, allow_remote_url_fopen (or whatever it is called exactly) needs to be enabled in your php.ini.

Milan Babuškov  2008-11-25 22:14:25
+2  A: 

One option is to implement a proxy page which takes the needed url as a parameter. e.g. http://blah.com/proxy?uri=http://foo.com/actualRequest

Rohit  2008-11-25 22:42:03
You'd better do a little validation on it to make sure that the URL is one that you expect... otherwise it is a major security hole.
rmeador  2008-11-25 23:00:33
Of course. I thought it was implied when I said "implement".
Rohit  2008-11-26 13:54:21
A: 

The method shown above could become a large security hole. Suggest you verify the site name against a white list and build the actual URI being proxied on the server side.

Chris Nava  2008-11-25 22:48:31
+2  A: 

There is a w3c proposal for allowing sites to specify other sites which are allowed to make cross site queries to them. (Wikipedia might want to allow all request for articles, say, but google mail wouldn't want to allow requests - since this might allow any website open when you are logged into google mail to read your mail).

This might be available at some point in the future.

tatwright  2008-11-25 23:09:52
A: 

For cross domain hits this is a good working example and now is considered as some what "standard" http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html.

there are other ways as well, for eg injecting iframes with document.domain altered

http://fettig.net/weblog/2005/11/28/how-to-make-xmlhttprequest-connections-to-another-server-in-your-domain/

I still agre that the easy way is calling a proxy in same domain but then it's not truly client side WS call.

varun  2009-05-03 08:36:37
A: 

JSONP was partially designed to get around the problem you are having

http://ajaxian.com/archives/jsonp-json-with-padding

JQuery has it in their $.getJSON method

http://docs.jquery.com/Ajax/jQuery.getJSON

Brian Hedler  2009-05-03 09:07:28

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?