can someone explain the cross domain security re AjAX in IE?

[Adrian]

can someone explain the cross domain security re AJAX in IE?

I have a page that calls a web service (WS) from another domain (the target
browser is only IE6) and displays it's results! all works fine when the page
is run from my hdd, however when run from the web I get "Access denied" due
to the cross domain security (I assume).

So I set the browser setting to allow cross domain but this did not seem to
work, I got the same error!

Next I tried adding an "A" record to my domain for the WS, so I had
www.mydomain.com = IP of web server and added ws.mydomain.com = IP of the
server
providing the WS. But I still got the same error even though they are called
using the same domain name!

So what does IE check to establish if its cross domain before allowing the
call using XMLHttpRequest to a domain that is different from where the
calling page is hosted?

thanks

 

[VK]

So what does IE check to establish if its cross domain before allowing the
call using XMLHttpRequest to a domain that is different from where the
calling page is hosted?

It checks if "from" and "to" domains are identical. Say even
foo.mydomain.com
and
bar.mydomain.com
are considered to be different.

The only exception it makes for scripts run from the local pages
(loaded from your harddrive). No other exceptions, no options to
change. That is an obvious dead end for the technologie, however
serious security considerations would be.

So currently many UA producers are testing different ways to relax
cross domain security while keeping it under some control. I suggest to
search for
"XMLHttpRequest cross domain security" at mozilla.org
and
"IXMLHTTPRequest cross domain security" at microsoft.com

Some solutions are only discussed but not yet implemented, some
implemented but only on the latest engines.

For the time being (if you decide to stay with AJAX) you'll have to use
one of server-side content grabbers like say
<http://www.geocities.com/schools_ring/stargates/>

 

[Martin Honnen]

Adrian wrote:

I have a page that calls a web service (WS) from another domain (the target
browser is only IE6) and displays it's results! all works fine when the page
is run from my hdd, however when run from the web I get "Access denied" due
to the cross domain security (I assume).

You can put the host that should be allowed to call the web service in
the trusted zone and configure that zone to allow access to data sources
beyond domain boundaries.

 

[Adrian]

Thank you both, I know this is off topic for this group but can a signed
ActiveX make the cross domain call?

 

[VK]

can a signed ActiveX make the cross domain call?

Presumably yes - if being signed by a recognized authority certificate:
so you can write a .wsh script or a C++ program for that.

You also can make a signed page for Gecko browsers to request for more
proivileges. See
<www.mozilla.org/projects/security/components/signed-scripts.html>

It doesn't solve the proglem universally (as a server-side content
grabber does) but can be sufficient for your current situation.

Overall the main current trent for all major browser producers
(including Microsoft, Mozilla and Mac) is in using Macromedia
Flash-like approach which was in turn first used in Microsoft Data
Binding technics. Namely you create on the server a text file of a
fixed format and you list in this file all domains and subdomains
allowed to inter-communicate with each other. As I'm starving now on a
9,200 bod cell modem I skip on linking all relevant documents from
microsoft.com and mozilla.org - but they are there for sure as I once
studied them. You may want to search for them independently.