3 ways to make a cross-domain request in Javascript?
You can use Access-Control-Allow-Origin: * in the headers coming from the server on the other domain That relies on the browser being modern, however. Won't work on IE older than 8 See https://developer.mozilla. Org/En/HTTP_access_control.
You can use Access-Control-Allow-Origin: * in the headers coming from the server on the other domain. That relies on the browser being modern, however. Won't work on IE older than 8.
See https://developer.mozilla. Org/En/HTTP_access_control.
There is also Cross-Document Messaging combined with regular XHR. An example of this can be seen on the easyXDM example page : consumer.easyxdm.net/current/example/xhr....
After a successful and completed call to the send method of the XMLHttpRequest, if the server response was valid XML and the Content-Type header sent by the server is understood by the user agent as an Internet media type for XML, the responseXML property of the XMLHttpRequest object will contain a DOM document object. Another property, responseText will contain the response of the server in plain text by a conforming user agent, regardless of whether or not it was understood as XML. In the early development of the World Wide Web, it was found possible to breach users' security by the use of JavaScript to exchange information from one web site with that from another less reputable one.
All modern browsers therefore implement a same origin policy that prevents many such attacks, such as cross-site scripting. XMLHttpRequest data is subject to this security policy, but sometimes web developers want intentionally to circumvent its restrictions. This is sometimes due to the legitimate use of subdomains as, for example, making an XMLHttpRequest from a page created by foo.example.com for information from bar.example.com will normally fail.
Various alternatives exist to circumvent this security feature, including using JSONP, Cross-Origin Resource Sharing or alternatives with plugins such as Flash or Silverlight. XMLHttpRequest Level 2 also includes a feature to communicate with other domains. This is implemented in Firefox 3.5, Google Chrome, and Safari 4.
Internet Explorer 8 has the non-standard XDomainRequest, which can do a similar thing. Headers added to a server's HTTP response headers can allow cross-domain requests to succeed. For example, Access-Control-Allow-Origin: *, can allow all domains to access a server.
Access-Control-Allow-Origin can be used in all browsers that support cross-domain requests, which includes Internet Explorer 8. The W3C's specification is defined in Cross-Origin Resource Sharing. 29 When the request succeeds, a status 200 (OK) is returned; however, errors from cross-domain requests will not be identified and the status will always be zero.
"Attacking AJAX Applications", a presentation given at the Black Hat security conference. Discusses several issues involving XHR and the future of cross-domain Ajax.
Related Questions
Does Ajax - cross domain request return the request header?
Why is my cross-domain POST request being preflighted with an OPTIONS request?
Javascript: Cross-domain JSON request issues?
How to get cross domain request's response in javascript?
Do sub domain gets link juice from main domain without a text link to it from main domain?
Can you use Cross-Domain Ajax through a script on the other domain?