Ajax Same Origin Policy No More with Firefox 3.5

June 30, 2009

Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the cross-domain.xml file that Flash has supported for years to achieve this. They took a different approach, and use a HTTP header instead, which I think makes more sense.

So how does it work...

When you make a request using the XMLHttpRequest object it sends an Origin header (this is new, I wrote a blog entry about the Origin header as well) which contains the domain of the requesting page. The HTTP Response can send a HTTP header: Access-Control-Allow-Origin: * which means that any domain can access this page. You could also send a response header like this: Access-Control-Allow-Origin: http://example.com which only allows the example.com as an origin. The Access-Control-Allow-Origin header should contain a comma separated list of acceptable domains or a *.

For POST requests, and requests that want to read response headers a HTTP OPTIONS request is made first, that sends headers such as # Access-Control-Request-Method: POST in the request.

You can read more about this feature here

Permalink | Add Comment |

add to del.icio.us | Tags: ajax, firefox, xmlhttprequest, javascript, http

Related Entries

AJAX on IE - back to the IFRAME - August 17, 2005
Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
AJAX Presentation Outline - December 13, 2005
Cross Domain Data Theft using CSS - July 21, 2010
jQuery UI Sortable Tutorial - January 7, 2010

5 people found this page useful, what do you think?

Trackbacks

Trackback Address: 703/CBECA114C085F10D70A6225B1610C97B

Comments

On 06/30/2009 at 3:21:04 PM EDT Tom Mollerus wrote:

Pete, how is the Access-Control-Allow-Origin header enforced? Is it enforced in the client's browser?

On 06/30/2009 at 4:31:39 PM EDT Pete Freitag wrote:

@Tom - Yes it is enforced in the client's browser, and specified server side in the http response.

On 07/02/2009 at 12:32:05 PM EDT William from Lagos wrote:

Can the value be overwritten by anyone sending a custom header?

e:g xhrObject.setRequestHeader("Origin","foo.com")

On 07/02/2009 at 12:40:07 PM EDT Pete Freitag wrote:

@William - I would hope not, but I haven't tested it. I'll test that when I have a chance.

On 07/05/2009 at 3:56:30 PM EDT MikeD wrote:

This looks like someone stepped through a lot of issues to get this worked out. It's a great problem to be working on. Using custom request and response headers seems sketchy - with the addition of response headers controlling cacheability of permissions it feels like a separate resource (like cross-domain.xml) would have had more reuse of existing functionality & may have been easier to set up for sites that just want to let their data services be 'public'. I do like the discussion of using http authentication, that also seems like an easy way for data services to be public.

On 08/04/2009 at 10:10:35 PM EDT Brook wrote:

2 things about this are driving me nuts. 1 is that with IIS6, (at least) adding a comma delimited list of domains to the Access-Control-Allow-Origin header DOES NOT WORK. 1 domain works fine, * works for requests that don't use allow-credentials. But a comma delimited list does not work. Anybody else tried?

2. For Pre-Flighted requests an OPTIONS request is sent to the server and it responds with headers that indicate who and what is allowed.

CF should handle this so some security checks on referer and requested methods can be returned. But how do you get IIS to pass an OPTIONS method request to CF?

I can't get that to work either, and I've tried all the verb settings in IE and CF is mapped to respond to all-verbs, but no dice...

On 08/29/2009 at 5:58:43 AM EDT Bhaskar wrote:

Can anyone tell how Access-Control-Allow-Origin header set? and where is it set..is it at server side or client?

On 11/08/2010 at 2:11:59 AM EST Sandeep wrote:

I am looking at fixing this cross-domain issue for so long.... but till now with no success...Can you tell how to fix a cross domain issue. I have a check.html script with XMLHttpRequest and it makes to call on a server where a jsp file i.e. check.jsp is saved.

From firefox I can't access the contents of jsp file on the server due to cross-domain issue. Should I set the header in the jsp file and access the contents as I am doing now... kindly suggest.. I am struggling to solve this problem for long...

On 06/02/2011 at 4:00:02 PM EDT Willi wrote: