When I use this code, it works:
ajax.open("post","a.php",true);
but when I try to send data to a external file like:
ajax.open("post","http://www.example.com/a.php",true);
it doesn't work.
Are there any solution?
The URL of the file that must be opened - the location of the server side script. This can be a absolute URL like(http://www.foo.com/bar.php) or a relative one(/bar.php). A note of caution - this URL should be in the same domain as the script is. You cannot call a script in google.com from a script that is running in yahoo.com. This is a security measure implemented in most browsers to prevent XSS.
Regards,
Cyril
On which domain is your script executed? Is it www.site.com or some other?
The reason your code might not work is because for security reasons you are not allowed to send AJAX request to other domains.
Edit: One workaround would be to implement a web service on mysite.com, send AJAX request to it. The service should then proxy the original request to othersite.com (server-side) and subsequently return the response to the script being executed on mysite.com.
Related
Impossible to execute function in Iframe from Parent without the sandbox : allow-same-origin. (when I put it, it works)
But I need to avoid this for the security of my modul.
Blocked a frame with origin from accessing a cross-origin frame
The domain, port and protocol are the same. Only the path to file is different
If you have a server side language skills, you can scrape the url that you want to post to and deliver it locally. Some would call this a router page.
So, myrouter.php receives $_POST['url'], php validates the url through a hash or some other means, then delivers the content to your app. Now you are able to post into the container. Otherwise, and I just digested the rest of your problem, you could use a server side include and "Bam", problem solved.
Here's the scenario,
I have a main.js file in abc.com which does $.post("index.php") to access contents from the index.php from the same domain (abc.com).
This works great, as it is same domain ajax call.
But now, anyone can inlucde main.js in their website (say domain xyz.com).
Now, the path index.php (in $.post("index.php")) refers to file in domain xyz.com (not abc.com). If I put an absolute path http://www.abc.com/index.php , this does not work in some browsers (cross domain ajax restriction)
Now,
If I put headers for allow cross domain in php file, it does not work either, fails in ie 7 and below.
p.s. I need to put content in index.php file ( not in main.js ). Also, I dont want to include a php file
<script type='text/javascript' src='http://abc.com/index.php'></script>
and I would prefer not to add .js file to treat as php file in server ( so I can put php code in js file ).
The content is huge, I cannot do get request or jsonp (I think, jsonp does not allow large data)
Am I missing something ? How can I achieve this ?
You can use either JSONP or CORS to achieve this.
I've used JSONP and am going to try CORS next week. I think CORS is still asyncronous, so that might have the edge for me. At least that's my hope...
I think you need to go for server side solution. Read the file (i.e index.php) in php and save the required output to be used in a hidden field and on DOM ready You can use the data from that hidden field.
A curl request on the server side should work as well. I'd say try JSONP first, but if it wont work, go for curl request
I need a script to perform a POST request to a different sub-domain than the one the page loads from, e.g. load data from domain.com and perform the AJAX POST to post.domain.com.
I've read about some alternatives that work for mainly for GET or POST with simple form data, but in this case I'll be posting a file (can be quite large).
I control the server, and both the page and the target are under the same domain. Is there any way to do this with JS/Iframes or do I have to resort to Flash/Flex?
As a side question, does mod_proxy for apache redirect a POST when the HTTP request is fully read (at apache) or it starts redirecting traffic (like a TCP tunnel) as soon as the headers are read?
Maybe Why am I getting an OPTIONS request instead of a GET request? can help you.
For requesting data from another subdomain you could look at JSONP
For posting files you can definitely use iframes.
This is a good tutorial: http://www.openjs.com/articles/ajax/ajax_file_upload/
I have a strange problem with native Ajax request invoking.
I am creating the Ajax object and sending the request like follows:
var xmlHttpObj = new XMLHttpRequest();
....
xmlHttpObj.open("GET","http://192.168.16.254:8080/ajax/demoExample.html",true);
xmlHttpObj.send();
When I access the servlet with the URL something like http://localhost:8080/ajax...,
then I am not able to get the response in the client side. But I can see the response in the server side.
Pretty similar way I invoked the request with
xmlHttpObj.open("GET","http://localhost:8080/ajax/demoExample.html",true);
and my URL is http://192.168.16.254:8080/ajax..., then also I am not able to see the response in my client side.
I know the best way to fix the problem.
I can invoke the request with
xmlHttpObj.open("GET","../ajax/demoExample.html",true);
xmlHttpObj.send();
then I don't have any problem with either localhost or IP address.
But still I think why is the difference between localhost and IP address in ajax requesting.
It's more of a security feature than a problem :
The same origin policy prevents a
document or script loaded from one
origin from getting or setting
properties of a document from another
origin.
localhost and 192.168.16.254 are considered different origins. The same goes for two hostnames that point to the same address as they could (and probably will) point to a different site/application on the same server. AFAIK the only way around this is to use iframe for content or JSONP for json. Although in your case relative URLs is the way to go.
Let's say I have the main page loaded from http://www.example.com/index.html. On that page there is js code that makes an ajax request to http://n1.example.com//echo?message=hello. When the response is received a div on the main page is updated with the response body.
Will that work on all popular browsers?
Edit:
The obvious solution is to put a proxy in front of www.example.com and n1.example.com and set it so that every request going to a subresource of http://www.example.com/n1 gets proxied to http://n1.example.com/.
Cross domain is entirely a different subject. But cross sub-domain is relatively easy. All you need to do is to set the document.domain to be same in both the parent page and the iframe page.
document.domain = "yourdomain.com"
More info here
Note: this technique will only let you interact with iframes from parents of your domain. It does not alter the Origin sent by XMLHttpRequest.
All modern browsers support CORS and henceforth we should leverage this addition.
It works on simple handshaking technique were the 2 domains communicating trust each other by way of HTTP headers sent/received. This was long awaited as same origin policy was necessary to avoid XSS and other malicious attempts.
To initiate a cross-origin request, a browser sends the request with an Origin HTTP header. The value of this header is the site that served the page. For example, suppose a page on http://www.example-social-network.com attempts to access a user's data in online-personal-calendar.com. If the user's browser implements CORS, the following request header would be sent:
Origin: http://www.example-social-network.com
If online-personal-calendar.com allows the request, it sends an Access-Control-Allow-Origin header in its response. The value of the header indicates what origin sites are allowed. For example, a response to the previous request would contain the following:
Access-Control-Allow-Origin: http://www.example-social-network.com
If the server does not allow the cross-origin request, the browser will deliver an error to example-social-network.com page instead of the online-personal-calendar.com response.
To allow access to all pages, a server can send the following response header:
Access-Control-Allow-Origin: *
However, this might not be appropriate for situations in which security is a concern.
Very well explained here in below wiki page.
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Another solution that may or may not work for you is to dynamically insert/remove script tags in your DOM that point to the target domain. This will work if the target returns json and supports a callback.
Function to handle the result:
<script type="text/javascript">
function foo(result) {
alert( result );
}
</script>
Instead of doing an AJAX request you would dynamically insert something like this:
<script type="text/javascript" src="http://n1.example.com/echo?callback=foo"></script>
Another workaround, is to direct the ajax request to a php (for example) page on your domain, and in that page make a cURL request to the subdomain.
The simplest solution I found was to create a php on your subdomain and include your original function file within it using a full path.
Example:
www.domain.com/ajax/this_is_where_the_php_is_called.php
Subdomain:
sub.domain.com
Create:
sub.domain.com/I_need_the_function.php
Inside I_need_the_function.php just use an include:
include_once("/server/path/public_html/ajax/this_is_where_the_php_is_called.php");
Now call sub.domain.com/I_need_the_function.php from your javascript.
var sub="";
switch(window.location.hostname)
{
case "www.domain.com":
sub = "/ajax/this_is_where_the_php_is_called.php";
break;
case "domain.com":
sub = "";
break;
default: ///your subdomain (or add more "case" 's)
sub = "/I_need_the_function.php";
}
xmlHttp.open("GET",sub,true);
The example is as simple as I can make it. You may want to use better formatted paths.
I hope this helps some one. Nothing messy here - and you are calling the original file, so any edits will apply to all functions.
New idea: if you want cross subdomain (www.domain.com and sub.domain.com) and you are working on apache. things can get a lot easier. if a subdomain actually is a subdirectory in public_html (sub.domain.com = www.domain.com/sub/. so if you have ajax.domain.com/?request=subject...you can do something like this: www.domain.com/ajax/?request=subject
works like a charm for me, and no stupid hacks, proxies or difficult things to do for just a few Ajax requests!
I wrote a solution for cross sub domain and its been working for my applications. I used iframe and setting document.domain="domain.com" on both sides. You can find my solution at :
https://github.com/emphaticsunshine/Cross-sub-domain-solution