tags:

views:

3845

answers:

6
+10  Q: 

Cross-site AJAX requests

I need to make an AJAX request from a website to a REST web service hosted in another domain.


Althouht this is works just fine in Internet Explorer, other browsers such as Mozilla and Google Chrome impose far stricter security restrictions, which prohibit cross-site AJAX requests.

My problem is that I have no control over the domain nor the web server where the site is hosted. This means my REST web service must run somewhere else, and I can't put in place any redirection mechanism.
Here is the JavaScript code that makes the asynchronous call:

var serviceUrl = "http://myservicedomain";
var payload = "<myRequest><content>Some content</content></myRequest>";
var request = new XMLHttpRequest();
request.open("POST", serviceUrl, true); // <-- This fails in Mozilla Firefox amongst other browsers
request.setRequestHeader("Content-type", "text/xml");
request.send(payload);

How can have this work in other browsers than just Internet Explorer?

+5  A: 

maybe jsonp can help.

NB youll have to change your messages to use json instead of xml

Edit

Major sites such as flickr and twitter support jsonp with callbacks etc

redsquare  2008-12-02 10:17:04
this might work, but JSONP is an admission that something's wrong :)
annakata  2008-12-02 10:24:30
how popular is this approach? It seems kind of experimental.
Enrico Campidoglio  2008-12-02 10:37:11
@annakata obviously but he metnioned he has no handle over the web server etc so using a proxy is out of the window. I'm not here to comment on his situation just provide a possible solution to his question/problem.
redsquare  2008-12-02 10:50:39
@redsquare: agreed, he's in a corner@enrico: quite experimental, but it is used
annakata  2008-12-02 11:13:05
Even though posting the AJAX request from an iframe hosted on the same domain as the REST service is a viable solution (as long as there is no need for communication between the iframe and the page), I'm not very fond of iframes in general because of their compatibility issues. So JSONNP is probably the best solution currently available.
Enrico Campidoglio  2009-07-08 08:29:49
but from my understanding, jsonp requires the server embed a call to the "callback" function passed in the jsonp request, so this wouldn't work in this situation, since he doesn't have control over the server... read the following for a nice overview of jsonp: http://www.insideria.com/2009/03/what-in-the-heck-is-jsonp-and.html
Brad Parks  2010-01-08 17:24:30
+1  A: 

The fact that this works in IE is a security issue with IE, not a feature.

Unfortunately cross-site scripting is prohibited, and the accepted work around is to proxy the requests through your own domain: do you really have no ability to add or modify server side code?

Furthermore, the secondary workaround - involving the aquisition of data through script tags - is only going to support GET requests, which you might be able to hack with a SOAP service, but not so much with the POST request to a RESTful service you describe.

I'm really not sure an AJAX solution exists, you might be back to a <form> solution.

annakata  2008-12-02 10:22:36
I agree that allowing XSS is a security flaw in IE.Unfortunately, I don't have any control over the web server, since it is a blog hosted on a third-party provider.I also thought about using HTML forms, but that would cause a full page post instead of a nice asynchronous call.
Enrico Campidoglio  2008-12-02 10:36:05
+1  A: 

Have you tried posting to an IFrame ?

 2008-12-02 10:48:10
You mean having the AJAX request made from an IFrame hosted on the same domain as the REST web service?
Enrico Campidoglio  2008-12-02 10:57:02
There may be milage in this, but you're really just moving the problem not solving it - the iframe/page communication will now have an issue
annakata  2008-12-02 11:15:19
That's OK since I don't need to access the parent page from the iframe, but just make an AJAX request with the iframe's own content.
Enrico Campidoglio  2009-07-08 08:15:04
A: 

This post could be helpful for you.

Edit(Adam): Post was linked incorrectly, but points to a blank page anyway. Here's a more useful post on Firefox's implementation of the W3C "Access Control For Cross Site Requests."

Sachin Gaur  2008-12-02 11:11:21
+2  A: 

The not very clear workaround (but works) is using iframe as container for requests to another sites. The problem is, the parent can not access iframe's content, can only navigate iframe's "src" attribut. But the iframe content can access parent's content.

So, if the iframe's content know, they can call some javascript content in parent page or directly access parent's DOM.

EDIT: Sample:

function ajaxWorkaroung() {
    var frm = gewtElementById("myIFrame")
    frm.src = "http://some_other_domain"
}
function ajaxCallback(parameter){
    // this function will be called from myIFrame's content
}
TcKs  2008-12-02 12:11:51
IFrames are slower than ajax, and also in older IE I remember there is a 'click' sound played every iframe.src update :(
Thinker  2009-07-05 21:42:06
In javascript one can not access the parent javascript data or functions cros-domain. The answer is untrue.
naugtur  2010-06-23 17:17:07
@nagtur: I successfully used this scenario in some time ago :|.
TcKs  2010-06-24 08:57:06
+2  A: 

The post marked as the answer is erroneous: the iframes document is NOT able to access the parent. The same origin policy works both ways.

The fact is that it is not possible in any way to consume a rest based webservice using xmlhttprequest. The only way to load data from a different domain (without any framework) is to use JSONP. Any other solutions demand a serverside proxy located on your own domain, or a client side proxy located on the remote domain and som sort of cross-site communication (like easyXDM) to communicate between the documents.

Sean Kinsey  2009-07-05 21:37:08
-1 because this isn't inaccurate. It is possible to access the parent page from an IFRAME with JavaScript by using the 'parent' DOM object. For example this will modify an element in the page from within an IFRAME: parent.document.getElementById("someDiv").innerHTML = "some content";
Enrico Campidoglio  2009-07-07 12:14:09
The question is about document from different domain - and the same origin policy will therefor be i effect. An IFrame from domainA is NOT able to access the contentDocument of its parent if the parent is from domainB.As the author of the easyXSS cross-site library, I do have some knowledge around this.
Sean Kinsey  2009-07-07 21:58:42
I missunderstood your answer then. You are right, an iframe cannot access the parent page's content and viceversa when the two are being hosted in different domains. However in my case using an iframe works well, because it doesn't need to access the parent page in any way, but it simply posts an AJAX request to a service, which is hosted on its same domain.
Enrico Campidoglio  2009-07-08 08:11:54
Do you mind fixing the rating for the answer then? :)
Sean Kinsey  2009-07-08 17:44:59
You need to edit your answer, since SO won't allow me to change a vote that's too old
Enrico Campidoglio  2009-07-25 12:18:20
easyXSS has been renamed to easyXDM, and it has also been improved quite a bit
Sean Kinsey  2010-01-13 11:13:39

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security