Which domain for XMLHttpRequest?

[virtuPIC]

Assume you want to provide functionality in JavaScript file 'f.js' to
be used by tag

<script src="f.js"></script>

Now 'f.js' contains XMLHttpRequest. If you use relative URL when
calling its method 'open' which domain does it access? If you use
absolute URL which domain is allowed?

I need that access is to the domain there 'f.js' rests. My browsers
(Firefox 1.5.0.7 and MSIE 6.0.2900...) consider the user's domain where
you find the script-tag the current one.

Tried to find articles covering this issue here - but couldn't find
any. However, Google Maps API seems to use this feature for geocoding.

virtuPIC

 

[Leo Meyer]

Now 'f.js' contains XMLHttpRequest. If you use relative URL when

calling its method 'open' which domain does it access? If you use
absolute URL which domain is allowed?

According to my experience, browsers use the "same origin policy" to
determine which AJAX requests are allowed.
Google will tell you everything.

Regards,
Leo

 

[Tom Cole]

According to my experience, browsers use the "same origin policy" to
determine which AJAX requests are allowed.
Google will tell you everything.

Yes it's going to assume relative to the document that imported the
library, not the library's location. Remember it gets pulled and
processed in the client and is therefore going to use the document's
location when determining relative URLs.

If you hardcode the URL that's okay as long as it doesn't try to cross
domains from the one in the document.location.

 

[virtuPIC]

Yes it's going to assume relative to the document that imported the

library, not the library's location. Remember it gets pulled and
processed in the client and is therefore going to use the document's
location when determining relative URLs.

If you hardcode the URL that's okay as long as it doesn't try to cross
domains from the one in the document.location.

Yes, I agree. However, there must be some solution. Google Maps API
provides geocoding using AJAX. Have a look at

http://www.google.com/apis/maps/documentation/reference.html#GClientGeocoder

I tried to find out, but Google Maps JavaScript is too obfuscated for
my taste. It uses XMLHttpRequest to access some URL different from
document.location of the file using the API. How does it work?

To make it run soon I will implement some connection using an invisible
IFRAME, but that won't be final.

Any help appreciated.
virtuPIC

 

[VK]

Have a look at

http://www.google.com/apis/maps/documentation/reference.html#GClientGeocoder

I tried to find out, but Google Maps JavaScript is too obfuscated for
my taste. It uses XMLHttpRequest to access some URL different from
document.location of the file using the API. How does it work?

That is not about document.location to be the same. It must be the same
domain, where "domain" in the cross-domain issue means:

http://www.server.com
or
http://www:1234.server.com
so:
[protocol] [subdomain(s)] [port] [domain] [high-level domain]

where all parts must be the same (or equally not presented). After that
you can have as many differences as you want, but the smallest
difference in any of above parts will trig the cross-domain block (in
default security environment).

In this aspect Google is in the same sorry situation as anyone else, so
if their ajaxoid works across domains than:

1) They are using some sross-browser vulnerability exploit in
IXMLHTTPRequest / XMLHttpRequest object (highly unlickly).

2) They are using standard server-side workarounds for cross-domain
lock (the latter over the last two years became an annoing bug to fix
in each solution, rather than a security mesure of any kind).

 

[aka]

The only way is to use a workaround - a serverside program that reads
the external file, php for example. If you are interested I will send
you a php file which I wrote to make external requests via Iframe or
XMLHttpRequest.

Andi

 

[BinnyVA]

The only way is to use a workaround - a serverside program that reads

the external file, php for example. If you are interested I will send
you a php file which I wrote to make external requests via Iframe or
XMLHttpRequest.

This is the most dependable method - it is guaranteed to work. However
there are other methods too...

Using a hidden IFrame to load the external data.
http://manual.dojotoolkit.org/WikiHome/DojoDotBook/Book75

Using Flash's cross domain capabilities.

Calling a JS file from an external site - as used in Cow
Ajax(http://cows-ajax.sourceforge.net/)

W3C recommendation for Cross-Domain XHR...
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012

 

[Touffy]

virtuPIC said:

Yes, I agree. However, there must be some solution. Google Maps API
provides geocoding using AJAX. Have a look at

http://www.google.com/apis/maps/documentation/reference.html#GClientGeocoder

I tried to find out, but Google Maps JavaScript is too obfuscated for
my taste. It uses XMLHttpRequest to access some URL different from
document.location of the file using the API. How does it work?

To make it run soon I will implement some connection using an invisible
IFRAME, but that won't be final.

In fact, that's just what Google Maps does. They don't load the XML
directly with XMLHttpRequest, they wrap it inside an IFRAME's document,
and they reload that IFRAME.

Using just any method (SOAP, invisible IFRAME...) to retrieve XML
without reloading the page is, litterally, asynchronous JavaScript and
XML.
Therefore AJAX != XMLHttpRequest

 

[virtuPIC]

Many thanks to all of you answering my question! In parallel, I found a
web page explaining different options:
http://www.xml.com/pub/a/2005/11/09/fixing-ajax-xmlhttprequest-considered-harmful.html?page=last

I'll use on-demand JavaScript for which you can find a code sample on
the xml.com-page.

Again, thank you very much!
virtuPIC