Because of its ability to communicate with the server, the XMLHttpRequest object (XHR), used in the technology Ajax (an acronym for Asynchronous JavaScript and XML, which should be pronounced "egiacs" although we prefer Italian "aiacs"), has a security lock that prevents you from running applications outside the domain in which it operates. This protection is necessary to prevent JavaScript Injection (techniques of "injection" extremely dangerous code in order to break the system) of various kinds, with the ultimate objective of "break" in the system.
This limit is now taken seriously and you're thinking, somehow, to solve it - directly into the XmlHttpRequest - without compromising security (see also: Third Proposal for cross-site extensions to XMLHttpRequest ).
Whatever the situation today is as follows:
The JavaScript code that uses the XmlHttpRequest object (yourWebApp.html on the page) can only make requests to the domain miodominio.com, ie the domain where the Javascript code. Delivering this type scenario, then:
... Will not work!
Furthermore, as shown on The Same Origin Policy of Mozilla:
[..] Mozilla considers two pages to have the examination origin if the protocol, port (if Given), and host are the Same for Both pages. To illustrated this table Gives examples of origin comparisons to the URL http://store.company.com/dir/page.html .
It's not just the domain to make things difficult. In addition, consider that each browser has its own implementation of the XMLHttpRequest object and then its own rules.
Anyway to solve this problem there are various techniques.
1. Proxy Server
This technique uses a server-side language to "trick", so to speak, the XHR object so as to create a tunnel between the XHR object, and our external domain targets. PHP, for example, is able to retrieve information from other domains in various ways, according to the type of installation and set restrictions on our server. In the general case that we tend to do is this:
In a nutshell the XHR object communicates with our domain, where a page specially written retrieves information from an external domain. It then creates a proxy in PHP, which is a "page through" that retrieves information for us, returning XHR object. One of the simplest proprosta proxy server is, for example, from Yahoo:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | <Php / / PHP Proxy example for Yahoo! Web services. / / Responds to HTTP GET and POST requests Both / / / / Author: Jason Levitt / / December 7th, 2005 / / / / Allowed hostname (api.local and api.travel Also possible are here) 'HOSTNAME' , 'http://search.yahooapis.com/' ) ; define ('HOSTNAME', 'http://search.yahooapis.com/'); / / Get the REST call path from the AJAX application / / Is it a POST or GET to? ( $_POST [ 'yws_path' ] ) ? $_POST [ 'yws_path' ] : $_GET [ 'yws_path' ] ; $ Path = ($ _POST ['yws_path'])? $ _POST ['Yws_path']: $ _GET ['yws_path']; HOSTNAME . $path ; HOSTNAME = $ url. $ Path; / / Open the Curl session curl_init ( $url ) ; $ Session = curl_init ($ url); / / If it's a POST, put the POST data in the body $_POST [ 'yws_path' ] ) { if ($ _POST ['yws_path']) { '' ; $ Postvars =''; $element = current ( $_POST ) ) { while ($ element = current ($ _POST)) { key ( $_POST ) . '=' . $element . '&' ; Postvars .= $ key ($ _POST). '='. $ element. '&'; $_POST ) ; next ($ _POST); } $session , CURLOPT_POST , true ) ; curl_setopt ($ session, CURLOPT_POST, true); $session , CURLOPT_POSTFIELDS , $postvars ) ; curl_setopt ($ session, CURLOPT_POSTFIELDS, $ postvars); } / / Do not return HTTP headers. Do return the contents of the call $session , CURLOPT_HEADER , false ) ; curl_setopt ($ session, CURLOPT_HEADER, false); $session , CURLOPT_RETURNTRANSFER , true ) ; curl_setopt ($ session, CURLOPT_RETURNTRANSFER, true); / / Make the call curl_exec ( $session ) ; $ Xml = curl_exec ($ session); / / The web service returns XML. Set The Content-Type Appropriately "Content-Type: text/xml" ) ; header ("Content-Type: text / xml"); ; echo $ xml; $session ) ; curl_close ($ session); ?> |
, fread() etc… Basterebbe, infatti, aprire la destinazione sul nostro dominio esterno con una delle tante funzioni messe a disposzione da PHP, come readfile() . In this codcie you use curl , a known PHP library used to bypass any restrictions on the most simple and well-known commands fopen() , fread() etc ... It would be enough, in fact, open the target on our external domain with one of the many functions put at our disposal by PHP, such as readfile() . Unfortunately, often these functions are disabled or limited on some host, for security reasons. The curl , however, are almost always available.
2. The good old IFRAME TAG
I still remember when in 1996 one of the first implementai Remote Scripting techniques (as it was called at the time when Ajax was just a detergent). The IFRAME tag is still used today, abused, loved and despised, depending on the programmer who uses it. The IFRAME tag is often hailed as a "thing to do," a dangerous door to a hacker. Ultimately, then, with the introduction in the browser XmlHttpRequest object, the IFRAME is even more despised by the "purists Ajax." In fact it is still used a lot, both for the inclusion of Widgets, Gadgets and antipixel in Blog (if you have a blog is likely that your page is full of "holes" IFRAME and do not even know), is to bypass any blocking or lack of the same object XmlHttpRequest.
An IFRAME opens up a browser within the browser. This window can display an IFRAME external domain and is accessible from Javascript code in the page parent. Here is a different way to bypass the blocking object XmlHttpRequest.
3. Other techniques
There are also many other alternatives as appropriate and the circumstances in which we are (you can install specific tools or manipulate the Web Server to low level). di apache o librerie come JSON per superare il problema. You can use mod_rewrite or mod_proxy apache or libraries like JSON to overcome the problem.
Other techniques (follow the link below on the "see also") are nice variations, but some have restrictions on browsers that support them, so be careful. The best, in my opinion, is the use of a simple proxy server with PHP.
4. Flash
Allow me to add Flash between the techniques of overcoming the cross-domain, if only because I mentioned in a previous post: Ajax without the HTTPRequest . Flash, of course, has nothing to do with the XHR object, and more than ever, nothing to do with Javascript. However, keep in mind some important features:
- A Flash movie can interact with JavaScript and the DOM of the web page
- Javascript can interact with a Flash movie
- Adobe AIR is a system in which HTML, Javascript / Ajax and Flash coexist in a harmonious and functional
Flash, unlike XHR object, so no restrictions on access cross-domain binding. In Flash there are a number of features aimed at security and access control in two different domains is one in which "turning" our movie. However, they are easily set by code and depend largely on the choices of svilupparore who wrote the code. Access, therefore, to an RSS file of any domain is, in Flash, which is very simple. Moreover, instead of using a PHP page as a proxy, you can take advantage of the ability to communicate with Flash and JavaScript and then use it as a proxy.
An example of PHP proxy server for all
A simple example of how to write a PHP page that runs a proxy server, minimal, I use very often ... 
1 2 3 4 5 6 7 8 9 10 11 | $url ) { function getContent ($ url) { curl_init ( ) ; $ Ch = curl_init (); 5 ; // set to zero for no timeout $ Timeout = 5; / / set to zero for no timeout $ch , CURLOPT_URL , $url ) ; curl_setopt ($ ch, CURLOPT_URL, $ url); $ch , CURLOPT_RETURNTRANSFER , 1 ) ; curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1); $ch , CURLOPT_CONNECTTIMEOUT , $timeout ) ; curl_setopt ($ ch, CURLOPT_CONNECTTIMEOUT, $ timeout); curl_exec ( $ch ) ; $ File_contents = curl_exec ($ ch); $ch ) ; curl_close ($ ch); / / Display file $file_contents ) ; return ($ file_contents); } |
This simple function exploits the curl libraries to access a page that might be, for example, an XML RSS Feed. In this way an Ajax call will receive the result using this simple PHP proxy servers.
Released recently, see also: Cross Domain Ajax
undolog  »Blog Archive » Tunneling and Proxy Server for Ajax and more ...
Because of its ability to communicate with the server € ™ s XMLHttpRequest (XHR), used in Ajax (an acronym for Asynchronous JavaScript and XML, which should be pronounced â € œegiacsâ €? Although we prefer Italian â € œaiacs ...
Great article, I'll "deliciousizzo" on the fly
[...] Equip yourself with a proxy (tunneling) because of the protections imposed by both technologies (see tunneling and proxy servers for Ajax and beyond). If your site or blog SimplePie is already present, you can write a simple proxy [...]