Ajax Same Origin Policy No More with Firefox 3.5
Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the cross-domain.xml
file that Flash has supported for years to achieve this. They took a different approach, and use a HTTP header instead, which I think makes more sense.
So how does it work...
When you make a request using the XMLHttpRequest
object it sends an Origin
header (this is new, I wrote a blog entry about the Origin header as well) which contains the domain of the requesting page. The HTTP Response can send a HTTP header: Access-Control-Allow-Origin: *
which means that any domain can access this page. You could also send a response header like this: Access-Control-Allow-Origin: http://example.com
which only allows the example.com as an origin. The Access-Control-Allow-Origin
header should contain a comma separated list of acceptable domains or a *
.
For POST requests, and requests that want to read response headers a HTTP OPTIONS
request is made first, that sends headers such as # Access-Control-Request-Method: POST
in the request.
You can read more about this feature here
Like this? Follow me ↯
Tweet Follow @pfreitagYou might also like:
- AJAX on IE - back to the IFRAME - August 17, 2005
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- AJAX Presentation Outline - December 13, 2005
- Cross Domain Data Theft using CSS - July 21, 2010
- jQuery UI Sortable Tutorial - January 7, 2010
- Geolocation API for Adobe AIR? - October 8, 2008
- Adobe AIR Tutorial for HTML / JavaScript Developers - February 25, 2008
- Ext CFC - December 12, 2007
Comments
From firefox I can't access the contents of jsp file on the server due to cross-domain issue. Should I set the header in the jsp file and access the contents as I am doing now... kindly suggest.. I am struggling to solve this problem for long...