Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Javascript (http://www.velocityreviews.com/forums/f68-javascript.html)
-   -   cross domain XHR (http://www.velocityreviews.com/forums/t937691-cross-domain-xhr.html)

Andrew Poulos 11-20-2008 11:33 PM

cross domain XHR
 
If I want to send an XHR request to a different domain without expecting
a response is this possible? I've started looking into cross domain
security issues with AJAX and I'm unsure what gets restricted.

I'm building an elearning course that runs on one server and is to
notify a different server each time the course is completed.

Andrew Poulos

Stor Ursa 11-21-2008 12:24 AM

Re: cross domain XHR
 
Because of Browser Security there is no way of sending a Request to a
server other than the one hosting the page. In IE there is a setting
to allow you to turn off that Security, but it would be a pain in the
butt to ask your user to go to Tools > Internet Options, and then
require all your user's to only use IE.

The best way I've found to do this is send a request to the server you
are hosting the page on, and let that server redirect the request to
the other server.

If you are using .NET take a look at the WebRequest class.
If you are using Java take a look at the URLConnection and
HttpURLConnection classes.
Other server-side languages should provide similar functionality.

Bart Van der Donck 11-21-2008 08:45 AM

Re: cross domain XHR
 
Andrew Poulos wrote:

> If I want to send an XHR request to a different domain without expecting
> a response is this possible? I've started looking into cross domain
> security issues with AJAX and I'm unsure what gets restricted.
>
> I'm building an elearning course that runs on one server and is to
> notify a different server each time the course is completed.


It's not possible in a default javascript/AJAX environment. But there
are workarounds. You could try AJAX Cross Domain, a Perl/CGI approach:

http://www.ajax-cross-domain.com/

--
Bart

Jason S 11-21-2008 02:26 PM

Re: cross domain XHR
 
On Nov 20, 6:33*pm, Andrew Poulos <ap_p...@hotmail.com> wrote:
> If I want to send an XHR request to a different domain without expecting
> a response is this possible? I've started looking into cross domain
> security issues with AJAX and I'm unsure what gets restricted.


I asked this question recently...
http://groups.google.com/group/mozil...8290ae88e2065f

if you control both servers, then you could use the "Access-Control:"
header to grant cross-site permission, but it's kinda new & you need
browsers that pay attention to the use of this header. Firefox 3.0
doesn't but 3.1 is supposed to.

Thomas 'PointedEars' Lahn 11-21-2008 07:15 PM

Re: cross domain XHR
 
Andrew Poulos wrote:
> If I want to send an XHR request to a different domain without expecting
> a response is this possible?


Request to a non-existing server. Otherwise there is a response to a
request, be it only one with an error status code.

What you really wanted to ask is answered by

var o = new Image();
o.src = "http://foo.example/notify?foo=bar";

which is probably way more compatible than XHR.

> I'm building an elearning course that runs on one server and is to
> notify a different server each time the course is completed.


Another possibility is navigation in a hidden iframe.


PointedEars
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f806at$ail$1$8300dec7@news.demon.co.uk>

Bart Van der Donck 11-22-2008 12:31 PM

Re: cross domain XHR
 
Thomas 'PointedEars' Lahn wrote:

> Andrew Poulos wrote:
>> If I want to send an XHR request to a different domain without expecting
>> a response is this possible?

>
> Request to a non-existing server. *Otherwise there is a response to a
> request, be it only one with an error status code.
>
> What you really wanted to ask is answered by
>
> * var o = new Image();
> * o.src = "http://foo.example/notify?foo=bar";
>
> which is probably way more compatible than XHR.


The wish of the original poster ('to notify a different server')
cannot be accomplished by XHR anyhow.

A few alternatives for your solution are a GET/POST-request (to/in
hidden iframe or not), an <img src=""> call, <script src="">, <object>/
<embed> etc. etc.

All these have one thing in common: once the request is fired,
javascript can't know what happens further to it, since the Same
Origin Policy applies:
http://en.wikipedia.org/wiki/Same_origin_policy
But given the further requirements of the original poster ('without
expecting a response'), I think this should be no problem.

--
Bart

Jorge 11-22-2008 05:30 PM

Re: cross domain XHR
 
On 22 nov, 13:31, Bart Van der Donck <b...@nijlen.com> wrote:
> Thomas 'PointedEars' Lahn wrote:
> > Andrew Poulos wrote:
> >> If I want to send an XHR request to a different domain without expecting
> >> a response is this possible?

>
> > Request to a non-existing server. *Otherwise there is a response to a
> > request, be it only one with an error status code.

>
> > What you really wanted to ask is answered by

>
> > * var o = new Image();
> > * o.src = "http://foo.example/notify?foo=bar";

>
> > which is probably way more compatible than XHR.

>
> The wish of the original poster ('to notify a different server')
> cannot be accomplished by XHR anyhow.
>
> A few alternatives for your solution are a GET/POST-request (to/in
> hidden iframe or not), an <img src=""> call, <script src="">, <object>/
> <embed> etc. etc.
>
> All these have one thing in common: once the request is fired,
> javascript can't know what happens further to it, since the Same
> Origin Policy applies:http://en.wikipedia.org/wiki/Same_origin_policy
> But given the further requirements of the original poster ('without
> expecting a response'), I think this should be no problem.
>


<script src="anotherDomain.com"></script> isn't subject to the SOP:
can be used to both send and receive data back...

--
Jorge.

Bart Van der Donck 11-23-2008 08:46 AM

Re: cross domain XHR
 
Jorge wrote:

> <script src="anotherDomain.com"></script> isn't subject to the SOP:
> can be used to both send and receive data back...


All javascript is subject to the SOP (by default). That is not
different with <script src="">; the requested javascript file has only
one environment that it can run in, namely in the webpage that had
requested it.

You're right that remote js-calls may be used to send/retrieve data,
but always in possible underlying mechanisms at the server (in this
case, the remote resource usually serves .js from an application). But
this stands apart from SOP since SOP applies to client scripting only.

--
Bart

Jorge 11-23-2008 10:33 AM

Re: cross domain XHR
 
On Nov 23, 9:46*am, Bart Van der Donck <b...@nijlen.com> wrote:
> Jorge wrote:
> > <script src="anotherDomain.com"></script> isn't subject to the SOP:
> > can be used to both send and receive data back...

>
> All javascript is subject to the SOP (by default). That is not
> different with <script src="">; the requested javascript file has only
> one environment that it can run in, namely in the webpage that had
> requested it.
>
> You're right that remote js-calls may be used to send/retrieve data,
> but always in possible underlying mechanisms at the server (in this
> case, the remote resource usually serves .js from an application). But
> this stands apart from SOP since SOP applies to client scripting only.
>


A <script> tag coming from a completely different domain can access
freely and modify everything in the page, even though it's origin
isn't the same: it's not subject to the SOP:

http://jorgechamorro.com/cljs/026/

--
Jorge.

Jorge 11-23-2008 10:47 AM

Re: cross domain XHR
 
On Nov 23, 9:46*am, Bart Van der Donck <b...@nijlen.com> wrote:
> Jorge wrote:
> > <script src="anotherDomain.com"></script> isn't subject to the SOP:
> > can be used to both send and receive data back...

>
> All javascript is subject to the SOP (by default). That is not
> different with <script src="">; the requested javascript file has only
> one environment that it can run in, namely in the webpage that had
> requested it.
>
> You're right that remote js-calls may be used to send/retrieve data,
> but always in possible underlying mechanisms at the server (in this
> case, the remote resource usually serves .js from an application). But
> this stands apart from SOP since SOP applies to client scripting only.
>
> --
> *Bart


A <script> tag coming from a completely different domain can access
freely and modify everything in the page, even though its origin isn't
the same: it's not subject to the SOP:

http://jorgechamorro.com/cljs/026/

--
Jorge.


All times are GMT. The time now is 04:34 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.