Ajax is commonly used to asynchronously fetch data from web applications deployed on the same domain (the user is not forced to reload the whole page while awaiting new data). So what happens when the the target URI domain differs from the domain on which the ajax script is running (cross-site)?
A web browser makes a request using the OPTIONS method and the following headers are set:
X-Requested-With: XMLHttpRequest Origin: http://my.script.domain.com
The browser informs the requested resource about the type of the request (Ajax), and its origin (my.script.domain.com). If the target site accepts such requests it should attach the following response headers:Access-Control-Allow-Origin: http://my.script.domain.comAccess-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Max-Age: 3600 The first three headers determine the resource accessibility for certain requests: in this example only GET / OPTIONS Ajax requests from my.script.domain.com may be performed. The fourth header is related to response caching (seconds). So if the potential AJAX request meats these requirements, the browsers sends a following request using the appropriate method, and processes the response. If the response headers do not indicate that the request is allowed or there are no such headers at all (not all are obligatory), the second request is not performed. This security mechanism is implemented in all commonly used browsers... lets face it, without it AJAX would be a very dangerous technology...Summing up: if you ever want to enable cross-site ajax requests for your site you must configure the Access-Control-Allow-* policy on the target server.
Tip: If you want your server to accept such requests from all sites, you may use the following policy:Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET, POST, DELETE, HEAD, OPTIONS Access-Control-Max-Age: 1209600
No comments:
Post a Comment