Cross-domain calls from a webbrowser

views:

answers:

Cross-domain calls from a webbrowser

I would like to execute a cross domain http request from a website. What are my options?

Javascript is out, because most browser don't allow cross domain calls. Generally the solution is to use a proxy, but that isn't an option for this project.

The other things I was thinking about would be to use Flash or maybe Java. Are there any other platforms that I could use?

"Javascript is out, because most browser don't allow cross domain calls."

Unfortunately, Javascript is most definitely in. You just have to add a new script to the page with whatever src url you like. It's called Cross-Site Scripting (or XSS). IMO, the vulnerability it introduces renders moot all the other attempts by browsers to regulate a "same-origin" policy. They're just trying to patch a hole in a pair of pants that have already fallen down around your ankles.

Robusto 2010-07-20 18:27:55

That's a very confused article, and in my opinion it is simply incorrect. The term "Cross-Site Scripting" (or XSS, as noted) refers to a type of *attack* by a hostile party (as is clear from the Wikipedia article) and it need not have anything to do with a `<script>` tag sourcing from a different domain than its own. It's a completely different matter for a page to deliberately exploit the ability to fetch scripts from anywhere. Indeed, it's extremely common, for example, to pull the jQuery library from Google's servers.

Pointy 2010-07-20 18:32:35

Are you saying I could reference any arbitrary script from the other domain in my html and scripts from my server could post requests to the third party server?

2010-07-20 18:32:45

@itakenocrud Yes of course those things are possible. The ability to POST to a URL from anywhere on the internet is why such things as secure sessions exist. Servers generally reject an incoming POST that is not correctly accompanied by a valid session cookie, possibly in conjunction with other secure information that only an authenticated client can have.

Pointy 2010-07-20 18:37:14

@Pointy: What you say is true, and I may not have made myself clear. The point is, you *can* make cross-domain calls using Javascript. So the OP's assumption is, ipso facto, incorrect.

Robusto 2010-07-20 18:37:18

@Robusto yes I agree. It all depends on the situation. For example, if he *owns* both domains, then there probably is no security issue at all. Similarly, if there is a known relationship between the two domains (say, part of a contractual business arrangement between two companies), then it's probably no problem to extend trust. Now, making a site that allows *anybody* to supply a URL for a script *anywhere*, well, that would be a big problem :-)

Pointy 2010-07-20 18:39:51

@Pointy: Yes, I can't imagine a worse problem for the web than that. ;-)

Robusto 2010-07-20 18:41:45

@Pointy I am dealing with a very poorly written webservice that provides html (its really really old). I tried using javascript's XML request and I saw their server respond with the correct html via wireshark, but my request object gave me null/empty string when I tried to look @ the innerhtml/innerText respectively.This lead me to believe that I had a "same-origin" policy violation with javascript and my browser (chrome) wasn't giving the request object the return html.

2010-07-20 19:16:52

@itakenocrud well you're right - the browser just won't let you do that. The security of the web (such as it is) depends on that.

Pointy 2010-07-20 19:20:27

@Pointy I was looking into other solutions to get around this issue. If that is actually the case, I am surprised that chrome let me make the request, I just can't see the reply.

2010-07-20 19:22:11

That is pretty interesting. At some point I'll try it with Firefox and see what happens.

Pointy 2010-07-20 19:38:01

+1 A:

You will have to stick with the proxy solution because flash and java have the same cross-domain restrictions as javascript. If this is something that is only for personal use, there is an option as I know with the flex builder and the debugger version of the falsh player which can make cross-domain requests.

budinov.com 2010-07-20 18:32:49

Both Java and Flash support crossdomain.xml files, as documented on Oracle and Adobe sites respectively.

W3C is working on a standard that takes a different approach. When that gets implemented by which systems, I cannot predict.

Tom Hawtin - tackline 2010-07-20 21:22:11

The W3C standards referred to here are CORS and UMP, CORS is the deployed one and all major browsers support a subset of it, however the remote servers need to be CORS enabled to allow XMP requests from your host. For the time being a proxy is your only way forward unless you have control of all remote servers you are calling.

nathan 2010-07-20 21:50:07

If you have administrative access to the server you will be making a cross-domain request to, then you can make it serve a Flash cross-domain policy file that grants another server (or servers) cross-domain access. Then that other server needs to use Flash to make its cross-domain requests.

If you are looking for something to help get you started, check out the opensource Forge project. It exposes a cross-domain XmlHttpRequest API in JavaScript so you only have to write JavaScript code:

http://github.com/digitalbazaar/forge/blob/master/README

dlongley 2010-07-22 20:45:32

ansaurus

tags:

views:

answers:

Cross-domain calls from a webbrowser

related questions