I'm trying to detect server information using only JS such as HTTP response code & content.
Because of Same-origin policy I'm not allowed to use normal ajax request and therefore i'm forced to following workarounds
Using JSONP is great but in case of error I can't know what HTTP code or content of response page
Using Image request is not really option cause, same as above, I can't know HTTP code or content. I can only know if I loaded image to DOM.
Using AJAX with CORS. This is best solution so far but in case it is not my server I can't detect HTTP code :(. Same applies for flash and crossdomain.xml policy.
Using iframe, as i know I can't detect HTTP code or content.
While writing this I've just notice that I'm dealing with XSS issues here but all I need from JS is HTTP code OR content of another domain.
All suggestions are welcome.
I fear that is not possible using client-side JavaScript, unless the server implements a mechanism allowing you to gather this information by either simply supporting CORS or include the information in the JSON response of the JSONP request.
However, if you have some server-side support you could put in place an API that allows you to do so. E.g. You call a service on your server which in turn performs the request on the remote server and returns the desired information.
Related
We can simply call GET request for any page on the web using html tags from another origin:
<script src="http://example.com/user/post?txt=sample"></script>
XHR other origin is blocked because of security reason, as an instance, attacker can post behalf of a user using GET request(Consider the fact that it is not possible because of lack of cookies). However, the above script tag will do the same(Same, cookies are not available). So why XHR GET request is not allowed?
GET requests are not supposed to change anything on the server. From RFC 2616 section 9.1.1:
In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".
In your example of posting to a site using a GET request, the site shouldn't even allow that, and the same-origin policy isn't really meant to prevent it.
The reason XHR is treated differently is that XHR returns the HTTP response to the JavaScript code that made the request, so it has the potential to leak information. For example, if cross-domain XHR GET requests were allowed, a malicious script could query your bank's website to find out how much money is in your account.
Other methods of performing GET requests don't leak information. In particular:
You can add a <script> tag to the document, but the browser will try to run the response as a script. Unless the response is a valid script that's specifically designed to provide data using the JSONP convention, your code can't "see" anything that was in the response.
You can add an <img> tag to the document and maybe load some of the user's personal photos from another site, but the image will only appear on the screen; you can't access the pixel data from JavaScript.
I'm new to AJAX and I have what I think is a simple question. I know you can create a page that will respond to an AJAX call. Is it possible to just get any page with an AJAX call?
So I mean to say, can I do anything with an AJAX call that I could do with a URL?
EDIT #1
Thanks for all the responses! Really helped clarify!
Yes and no.
AJAX is a powerful mechanism by which you can retrieve and/or load data into the DOM in a flexible manner. You can do things like grab the content of another page and display all or portions of it on your page. There is a catch however.
Due to security reasons, you cannot depend on being able to make an AJAX call in a cross-domain manner unless the server on the other domain is properly configured. This is known as Cross-Origin Resource Sharing (CORS). You can read more about that here - http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Alternatively, some servers will expose API's that work with JSONP (JSON with Padding), which is a sort of workaround for the Same Origin Policy (SOP) that normally prevents cross-domain requests of this nature. In JSONP, the remote endpoint in essence wraps the response in a javascript function. You can read more about JSONP here - http://en.wikipedia.org/wiki/JSONP
You are limited to requests within the same domain, unlike a normal URL. There are ways around it using CORS or JSONP in that case.
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
No.
One example is that you can't use AJAX to upload or download files. One workaround for this is to target the upload or download to a hidden iframe and poll that frame for a response. Update: it seems some support for this is part of HTML 5 (see https://developer.mozilla.org/en-US/docs/Using_files_from_web_applications).
A second example is navigating the user to another page. You can load a second page and replace the contents of the window with it, but the URL will still be the original page (the "refresh" and "back" features of the browser will behave accordingly).
A third is cross-domain requests. AJAX calls are limited to the domain the page originated from.
Is there anyway with javascript/jQuery to check if a website is up?
You're limited by the single origin policy I don't think you can use a standard Ajax request, but is it possible to try and load a file (similar to wget) and get the status code of the reply another way?
This would be for a user side website checker, where they can check if multiple domains are "up" without having to use any code on a server.
e.g. I open a web page at checkmysite.org it sends an HTTP request to mysite.org to check whether it receives a response, and if so the domain is online
The single origin policy exists for a very good reason. What you're asking is effectively the same as "how can I defeat the single origin policy?".
You could always work around the policy with the co-operation of the server-end, for some specific known server. (e.g: CORS, cross-domain.xml in flash, <script> tag, etc).
Why is it so important that this not have help from the server at checkmysite.org? It could host an absolutely trivial php script which does the HEAD request for you. Your JavaScript code could just do a normal GET request to the PHP script.
I'm working on the project where the client has the back-end code in ServerA, and my front-end code, which is supposed to talk to back-end via AJAX requests is on ServerB, and they are in different domains. Because of the same origin policy, I'm not able to make those requests successfully (neither POST nor GET). Is it possible to enable it somehow without changing the back-end code to handle the JSONP? eg., white list that particular domain, or something?
I tried to emulate this in my local network where the back-end code is running on 10.0.1.4 (different machine), and I'm accessing it from localhost (apache), but couldn't figure out anything that doesn't require using jsonp. When calls are made, I'm not even seeing anything in the logs in the back-end, but it works fine from the REST client and by just loading the URL for GET requests. How are public API requests implemented that are not using JSONP?
I need at least one method (POST or GET) to work. Thanks.
Is it possible to enable it somehow without changing the back-end code
to handle the JSONP? eg., white list that particular domain, or
something?
Yes, you could write a server side script on your domain that will serve as a bridge between your and the remote domain and then send an AJAX request to your script.
Don't expect miracles. If you don't have control over the remote domain you are busted. The same origin policy restriction that's built into browsers for security reasons busts you. Well, you could always write your own browser that doesn't implement this policy, but I think you get my point.
Common workarounds include JSONP and CORS but they involve control over the remote domain. If you don't have control then read the my previous sentence as well as my first sentence.
Here's a nice guide I invite you consulting that covers some common techniques allowing to achieve cross domain AJAX with jQuery. Then adapt the one that fits best your scenario. And there's always the heavy artillery solution that involves bridging the 2 domains with a server side script which works bullet-proof in 100% of the cases if none of the other workarounds help you.
Is it possible to enable it somehow without changing the back-end code to handle the JSONP? eg., white list that particular domain, or something?
Hmmm, mostly no. You must allow JSONP or "white list" things via CORS (which is very easy to do). Or you can use YQL as a cross-domain proxy.
Three solutions posted here:
http://devlog.info/2010/03/10/cross-domain-ajax/
I've tried the third option since it just worked for me.. and I didn't have to go through any extra stress as it just handled things just like a regular ajax call.
Updating answer as this was posted 2 years ago:
LINK ABOVE NO LONGER WORKS.
Server side proxy:
the old page also talks about using a server side proxy, which means your server makes a call to another server, grabs all the data and sends it off to a page resting on that server. There is no problem for one server to fetch data from another server. So then your page can make a regular ajax call to that server. I didn't go with this option as it required more manual labor. So I'd suggest going with the option detailed here:
JSONP with jQuery
Make sure the provider supports JSONP.
Set the dataType option to jsonp, and if the provider uses a different GET param other than 'callback', specify the jsonp option to that parameter name.
$.ajax({
// ... Use the AJAX utility as you normally would
dataType: 'jsonp',
// ...
});
jQuery will generate a unique callback name for this request (something like json1268267816). Thus, the reply from a web service would be something like:
json1268267816({'uid': 23, 'username': 'Chroder', 'name': 'Christopher Nadeau'});
But jQuery handles it all seamlessly, so you as the developer just handle it like a normal AJAX request using the same jQuery success/failure/complete callback hooks.
Drawbacks:
The first limitation to this method is that you have to rely on the provider to implement JSONP. The provider needs to actually support JSONP -- they need to wrap their JSON data with that callback function name.
Then the next limitation -- and this is a big one -- is that JSONP doesn't support POST requests. Since all data is passed in the query string as GET data, you are severely limited if your services require the passing of long data (for example, forum posts or comments or articles). But for the majority of consumer services that fetch more data than they push, this isn't such a big problem.
However,
Using a library like jQuery that supports JSONP, these details of inserting the special script tag and creating the special callback function are all taken care of automatically. Using a JS library, usually the only difference between JSONP and real AJAX is that you enable a 'jsonp' option.
I need to find a way to notify a 3rd party website about an user action on my website. A server sided connection is not desired. Hashing with private keys is used to sign the request so users can't abuse it.
My question is how I can send this request safely.
tracking image: XSA possible
iframe: XSA, frame breaker
script include: evilness at its best
JSONP (with jQuery): ??
others?
Does someone know if it's possible to inject Javascript in JSONP answers? I mean to bypass browser boundaries JSONP is Javascript that calls a function with the JSON as parameter but it could also contain other javascript calls. Does jQuery somehow check if there is malicious content in jsonp callbacks?
If you only need to target modern browsers, and you control all the domains, you can create an HTTP access control policy to allow them to communicate with each other. However, since that doesn't appear to be the case, you're going to be stuck with JSONP.
It's funny that you mention "script include" as "evilness at its best", because that's exactly what JSONP is. Since, until recently, browsers were incapable of cross-domain requests, the only way to get anything from a 3rd-party client-side was to include a script from that 3rd party. JSONP simply takes advantage of this workaround returning the JSON inside of a function definition, which your script can then call to get the included data.