Ajax Same Origin Policy No More with Firefox 3.5
By Pete Freitag
Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the
cross-domain.xml file that Flash has supported for years to achieve this. They took a different approach, and use a HTTP header instead, which I think makes more sense.
So how does it work...
When you make a request using the
XMLHttpRequest object it sends an
Origin header (this is new, I wrote a blog entry about the Origin header as well) which contains the domain of the requesting page. The HTTP Response can send a HTTP header:
Access-Control-Allow-Origin: * which means that any domain can access this page. You could also send a response header like this:
Access-Control-Allow-Origin: http://example.com which only allows the example.com as an origin. The
Access-Control-Allow-Origin header should contain a comma separated list of acceptable domains or a
For POST requests, and requests that want to read response headers a HTTP
OPTIONS request is made first, that sends headers such as
# Access-Control-Request-Method: POST in the request.
You can read more about this feature here
Ajax Same Origin Policy No More with Firefox 3.5 was first published on June 30, 2009.
- AJAX on IE - back to the IFRAME
- Firefox 3.5 Introduces Origin Header, Security Features
- AJAX Presentation Outline
- Cross Domain Data Theft using CSS