cross domain XHR

Discussion in 'Javascript' started by Andrew Poulos, Nov 20, 2008.

  1. If I want to send an XHR request to a different domain without expecting
    a response is this possible? I've started looking into cross domain
    security issues with AJAX and I'm unsure what gets restricted.

    I'm building an elearning course that runs on one server and is to
    notify a different server each time the course is completed.

    Andrew Poulos
     
    Andrew Poulos, Nov 20, 2008
    #1
    1. Advertising

  2. Andrew Poulos

    Stor Ursa Guest

    Because of Browser Security there is no way of sending a Request to a
    server other than the one hosting the page. In IE there is a setting
    to allow you to turn off that Security, but it would be a pain in the
    butt to ask your user to go to Tools > Internet Options, and then
    require all your user's to only use IE.

    The best way I've found to do this is send a request to the server you
    are hosting the page on, and let that server redirect the request to
    the other server.

    If you are using .NET take a look at the WebRequest class.
    If you are using Java take a look at the URLConnection and
    HttpURLConnection classes.
    Other server-side languages should provide similar functionality.
     
    Stor Ursa, Nov 21, 2008
    #2
    1. Advertising

  3. Andrew Poulos wrote:

    > If I want to send an XHR request to a different domain without expecting
    > a response is this possible? I've started looking into cross domain
    > security issues with AJAX and I'm unsure what gets restricted.
    >
    > I'm building an elearning course that runs on one server and is to
    > notify a different server each time the course is completed.


    It's not possible in a default javascript/AJAX environment. But there
    are workarounds. You could try AJAX Cross Domain, a Perl/CGI approach:

    http://www.ajax-cross-domain.com/

    --
    Bart
     
    Bart Van der Donck, Nov 21, 2008
    #3
  4. Andrew Poulos

    Jason S Guest

    On Nov 20, 6:33 pm, Andrew Poulos <> wrote:
    > If I want to send an XHR request to a different domain without expecting
    > a response is this possible? I've started looking into cross domain
    > security issues with AJAX and I'm unsure what gets restricted.


    I asked this question recently...
    http://groups.google.com/group/mozilla.dev.ajax/browse_thread/thread/2c8290ae88e2065f

    if you control both servers, then you could use the "Access-Control:"
    header to grant cross-site permission, but it's kinda new & you need
    browsers that pay attention to the use of this header. Firefox 3.0
    doesn't but 3.1 is supposed to.
     
    Jason S, Nov 21, 2008
    #4
  5. Andrew Poulos wrote:
    > If I want to send an XHR request to a different domain without expecting
    > a response is this possible?


    Request to a non-existing server. Otherwise there is a response to a
    request, be it only one with an error status code.

    What you really wanted to ask is answered by

    var o = new Image();
    o.src = "http://foo.example/notify?foo=bar";

    which is probably way more compatible than XHR.

    > I'm building an elearning course that runs on one server and is to
    > notify a different server each time the course is completed.


    Another possibility is navigation in a hidden iframe.


    PointedEars
    --
    Prototype.js was written by people who don't know javascript for people
    who don't know javascript. People who don't know javascript are not
    the best source of advice on designing systems that use javascript.
    -- Richard Cornford, cljs, <f806at$ail$1$>
     
    Thomas 'PointedEars' Lahn, Nov 21, 2008
    #5
  6. Thomas 'PointedEars' Lahn wrote:

    > Andrew Poulos wrote:
    >> If I want to send an XHR request to a different domain without expecting
    >> a response is this possible?

    >
    > Request to a non-existing server.  Otherwise there is a response to a
    > request, be it only one with an error status code.
    >
    > What you really wanted to ask is answered by
    >
    >   var o = new Image();
    >   o.src = "http://foo.example/notify?foo=bar";
    >
    > which is probably way more compatible than XHR.


    The wish of the original poster ('to notify a different server')
    cannot be accomplished by XHR anyhow.

    A few alternatives for your solution are a GET/POST-request (to/in
    hidden iframe or not), an <img src=""> call, <script src="">, <object>/
    <embed> etc. etc.

    All these have one thing in common: once the request is fired,
    javascript can't know what happens further to it, since the Same
    Origin Policy applies:
    http://en.wikipedia.org/wiki/Same_origin_policy
    But given the further requirements of the original poster ('without
    expecting a response'), I think this should be no problem.

    --
    Bart
     
    Bart Van der Donck, Nov 22, 2008
    #6
  7. Andrew Poulos

    Jorge Guest

    On 22 nov, 13:31, Bart Van der Donck <> wrote:
    > Thomas 'PointedEars' Lahn wrote:
    > > Andrew Poulos wrote:
    > >> If I want to send an XHR request to a different domain without expecting
    > >> a response is this possible?

    >
    > > Request to a non-existing server.  Otherwise there is a response to a
    > > request, be it only one with an error status code.

    >
    > > What you really wanted to ask is answered by

    >
    > >   var o = new Image();
    > >   o.src = "http://foo.example/notify?foo=bar";

    >
    > > which is probably way more compatible than XHR.

    >
    > The wish of the original poster ('to notify a different server')
    > cannot be accomplished by XHR anyhow.
    >
    > A few alternatives for your solution are a GET/POST-request (to/in
    > hidden iframe or not), an <img src=""> call, <script src="">, <object>/
    > <embed> etc. etc.
    >
    > All these have one thing in common: once the request is fired,
    > javascript can't know what happens further to it, since the Same
    > Origin Policy applies:http://en.wikipedia.org/wiki/Same_origin_policy
    > But given the further requirements of the original poster ('without
    > expecting a response'), I think this should be no problem.
    >


    <script src="anotherDomain.com"></script> isn't subject to the SOP:
    can be used to both send and receive data back...

    --
    Jorge.
     
    Jorge, Nov 22, 2008
    #7
  8. Jorge wrote:

    > <script src="anotherDomain.com"></script> isn't subject to the SOP:
    > can be used to both send and receive data back...


    All javascript is subject to the SOP (by default). That is not
    different with <script src="">; the requested javascript file has only
    one environment that it can run in, namely in the webpage that had
    requested it.

    You're right that remote js-calls may be used to send/retrieve data,
    but always in possible underlying mechanisms at the server (in this
    case, the remote resource usually serves .js from an application). But
    this stands apart from SOP since SOP applies to client scripting only.

    --
    Bart
     
    Bart Van der Donck, Nov 23, 2008
    #8
  9. Andrew Poulos

    Jorge Guest

    On Nov 23, 9:46 am, Bart Van der Donck <> wrote:
    > Jorge wrote:
    > > <script src="anotherDomain.com"></script> isn't subject to the SOP:
    > > can be used to both send and receive data back...

    >
    > All javascript is subject to the SOP (by default). That is not
    > different with <script src="">; the requested javascript file has only
    > one environment that it can run in, namely in the webpage that had
    > requested it.
    >
    > You're right that remote js-calls may be used to send/retrieve data,
    > but always in possible underlying mechanisms at the server (in this
    > case, the remote resource usually serves .js from an application). But
    > this stands apart from SOP since SOP applies to client scripting only.
    >


    A <script> tag coming from a completely different domain can access
    freely and modify everything in the page, even though it's origin
    isn't the same: it's not subject to the SOP:

    http://jorgechamorro.com/cljs/026/

    --
    Jorge.
     
    Jorge, Nov 23, 2008
    #9
  10. Andrew Poulos

    Jorge Guest

    On Nov 23, 9:46 am, Bart Van der Donck <> wrote:
    > Jorge wrote:
    > > <script src="anotherDomain.com"></script> isn't subject to the SOP:
    > > can be used to both send and receive data back...

    >
    > All javascript is subject to the SOP (by default). That is not
    > different with <script src="">; the requested javascript file has only
    > one environment that it can run in, namely in the webpage that had
    > requested it.
    >
    > You're right that remote js-calls may be used to send/retrieve data,
    > but always in possible underlying mechanisms at the server (in this
    > case, the remote resource usually serves .js from an application). But
    > this stands apart from SOP since SOP applies to client scripting only.
    >
    > --
    >  Bart


    A <script> tag coming from a completely different domain can access
    freely and modify everything in the page, even though its origin isn't
    the same: it's not subject to the SOP:

    http://jorgechamorro.com/cljs/026/

    --
    Jorge.
     
    Jorge, Nov 23, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Erich Lin

    multiple xhr requests

    Erich Lin, Jul 6, 2006, in forum: Ruby
    Replies:
    3
    Views:
    192
    Erich Lin
    Jul 7, 2006
  2. Adam Ratcliffe

    Set document loaded by XHR into Frame

    Adam Ratcliffe, Apr 16, 2005, in forum: Javascript
    Replies:
    0
    Views:
    95
    Adam Ratcliffe
    Apr 16, 2005
  3. Sri
    Replies:
    0
    Views:
    112
  4. NeoAlchemy
    Replies:
    3
    Views:
    111
    NeoAlchemy
    Feb 17, 2007
  5. -Lost
    Replies:
    4
    Views:
    160
    Cah Sableng
    May 4, 2007
Loading...

Share This Page