I can't seem to get all Javascript functionality to work on the WebBrowser Control (linked below)
This could possibly be due to the same-domain issue - local html files have some ajax that calls address on external server. Is there a way to modify the control to omit the same domain?
http://msdn.microsoft.com/en-us/library/aa752040(VS.85).aspx
XMLHttpRequest (ajax) does not work cross domain, unless you proxy your requests to be on the same domain, though this will not work for local html files run from the disc without a server.
The alternative is JSONP, which works anywhere.
see: What is JSONP all about?
Yes you can implement IInternetSecurityManager::GetSecurityId on the host to return the same value for the script urls you want to put in the same domain.
Related
I'd like to get some clarification on what cross-domain AJAX means in terms of the mechanics behind it.
Say for example, I have a website http://www.example.com. This website contains a javascript file, which within contains several standard jQuery based AJAX calls (e.g. $.post(), $.get() etc), located at http://www.example.com/js/script.js.
Now, I have another website http://www.helloworld.com, which contains the following;
<script type="text/javascript" src="http://www.example.com/js/script.js"></script>
Would the AJAX requests within http://www.example.com/js/script.js which make requests to http://www.example.com be considered "cross-domain" and therefore carry compatibility issues when the file is included on http://www.internet.com?
Any answers would be great!
JS is executed on the client side, so it doesn't matter where the source of the file resides, it'll be executed from the domain in the address bar.
In order to be able to include a javascript from another domain, the sever that serves that JS need to provide the file with the correct headers.
In particular the headers need to have the Access-Control-Allow-Origin set for the domain requiring a cross-domain JS.
Just for test purpose you might want to run Chrome with the parameter --allow-file-access-from-files and it won't stop cross origin requests.
I'm a little confused here, maybe someone can help.
1) Javascript ajax request question: Can I use XMLHttpRequest to directly make a request to any other website - not the originating server?
2) JQuery ajax request question: Can I use $.ajax to directly make a request to any other website - not the originating server?
Browsing the web, I've found some stuff about how this might be forbidden due to XSS(cross-site-scripting), and that the work-around is to use a server scripting language and a webservice...but whatever that's not any concern to me.
If anyone can answer, please help!
I believe there is a confusion of terms here. This has nothing to do with XSS. The reason why you cannot get information with javascript across different domains (even http vs. https on the same domain) is due to the Same Origin Policy, which exists to prevent confusion of a session on a trusted site with an untrusted one without the user's direct intervention (e.g. by choosing to visit the different domain). XSS is a totally different concept that has to do with the infusion of scripts into a page to with malicious intent for the user.
As for accessing across domains all hope is not lost. XMLHttpRequest vs. .ajax() doesn't matter, but jsonp allows for an exchange of information across domains. Since HTML5, postMessage() has also been introduced which allows communication across domains as well (and to scripts no less!)
this question discusses the same problem. you have to fetch contents of other site on server side
You can not cross-site ajax requests. When you use jquery $.ajax to get data from a different domain, behind the scenes jquery takes the url and appends a include in the header of the document.
You're correct this is forbidden for security reasons.
jQuery's .ajax() is a simple way to use JavaScript's XMLHttpRequest in one function. In the end, it's just XMLHttpRequest.
Cross Site Scripting (XSS) prevents all cross-domain requests, but yes, you can use a serverside solution to overcome it.
But then there's JSONP, which does let JavaScript do cross-site requests, but only for a limited dataset.
Yes, it's possible with JSONP. Use it like this:
$.ajax({
url: 'remote_url',
type: 'post',
dataType: 'jsonp', //This does the trick
success: function(remoteData){
//Use remoteData here. Note it's already json parsed, so it's a javascript object
}
});
Hope this helps
Lastly you CAN make cross domain ajax if the server you are calling has implemented CORS and allows your domain to call it
1) Javascript ajax request question: Can I use XMLHttpRequest to directly make a request to any other website - not the originating server?
No, the server at the domain you're trying to connect to must accept cross-domain AJAX; otherwise, the only way to access this data is by using a page at your server that will proxy the requested data to your visitors.
2) JQuery ajax request question: Can I use $.ajax to directly make a request to any other website - not the originating server?
jQuery AJAX technology is actually a wrapper around the native XMLHttpRequest, so if the normal XMLHttpRequest works, the same should be true for jQuery.
I have two domain names that point to my website, nathannifong.com, and uncc.ath.cx.
Javascript on the site occasionally needs to pull down resources with XMLHttpRequest. All URLs of resources in client scripts refer to nathannifong.com, and when a user comes to the site by uncc.ath.cx, the scripts fail because of cross domain secuity policy in JavaScript.
What should I change so that users can come to the site by any domain name, but the XMLHttpRequests still work?
If you are using the Domain Name in the URL's to make a ajax request, remove it hence the domain is automatically mapped to the one the user is using and you will not have the cross domain issues.
xhr is contrained by the same origin policy and will not work cross domain - for that use jsonp as already mentioned.
According to The CodeProject, JSONP would be a way of accomplishing this. I've not used it myself, however, but it might be worth taking a look there.
You could look at window.location to determine the page's domain, and then use that to load the request? That way you'd be sure that the request was going to the right domain. You could also look into JSONP, but only for GET requests.
using JavaScript, it is much needed to get some pages from the web using without actually moving from the current page and hidden from the user's eyes.
To request a web page without showing it to the user, it is easy to use XMLHttpRequest but it has its own limitations most importantly it does not retrieve cross-domain pages very well. For security reasons the browsers (Mozilla FireFox 3.6+ in my case) retrieve a header from the target site and if the referrer's location is allowed access in that header, only then will the browser continue getting the target web page and JavaScript can only then parse the retrieved info.
This causes the XMLHttpRequest to work with some pages and not work with others if you are trying to access cross-domain pages. Of course it works well if you need to retrieve the information from the same location as the referrer page where the XMLHttpRequest is located.
This is a big problem, when security is not really no 1 priority. For example, imagine writing a script for retrieving live data from a statistics-producing web site or imagine a bot that needs to retrieve data from an online gaming web-site.
Now, how can JavaScript be used to get pages from other domains (cross-domain reference)?
I thought maybe we could find a plug-in that does the job (of course after installation upon user's permission) and then use its properties by JS and eliminate the need for XMLHttpRequest. Do you know any such plug-in or another roundabout for this problem? (ie get cross-domain data by JS without XMLHttpRequest) of course we cannot use XMLHttpRequest as we don't have any control over the target page headers and we obviously want to hide the whole process from the user
You’ll find that it’s the priority that the target site puts on their own security that is most important. If they're unconcerned about JavaScript on other sites accessing their site, they can set the HTTP Access Control headers for cross-domain XMLHTTPRequest, provide a crossdomain.xml file for Flash, provide a JSONP API, or provide some hooks for iframe monitoring.
The second solution is to make the requests to a server on your domain which proxies the request to the target site. In certain circumstances you may be able to use a third party server which supports cross-domain or JSONP requests, like Yahoo! Pipes.
If neither of these is feasible, you'll need to convince the user to allow you to run your own code on their PC. This could be via a signed Java applet which requests special permissions, or your own custom browser plugins or extensions.
There are several ways including using JSONP with XMLHttpRequest, using Flash and using iframes.
Here is some information on this subject. http://snook.ca/archives/javascript/cross_domain_aj
I'm currently working on a web application that customers can add to their webpages by adding a javascript link to a js file on my server. The application read all the javascriptfiles from my sever, but I still get an error when trying to use ajax to get data from my database. I didn't think that would be a problem because the files is on my server.
Can I fix this or do I have to make a cross-browser solution? I don't have any control over the costumers server.
Thanks in advance
Mikael
This is not possible: When you execute a remote script, it runs in the context of the containing document.
There are some popular workarounds for this:
Using an iframe, which fixes the cross-domain problem but doesn't integrate well with the remote site (e.g. no custom styling)
Using JSONP to make cross-domain Ajax requests (detailed explanation here)
Using a server-side proxy script (not an option in this scenario)
Using YQL (I'm not familiar with this but it's said to work)
The same origin policy is based on the host document not the script itself.
You need to use a cross domain ajax technique.