Something I find really confusing, is why are AJAX requests limited to the same domain? What is the reasoning behind this?
I don't see any problem with requesting files from external locations, also servers making XMLHTTP requests seem to get and post to external locations fine.
Something I find really confusing, is why are AJAX requests limited to the same domain? What is the reasoning behind this?
I don't see any problem with requesting files from external locations, also servers making XMLHTTP requests seem to get and post to external locations fine.
Share Improve this question edited Oct 22, 2013 at 12:21 informatik01 16.4k11 gold badges78 silver badges108 bronze badges asked Jul 1, 2010 at 9:56 Tom GullenTom Gullen 61.7k87 gold badges291 silver badges469 bronze badges 2- It's probably so you'r password won't get sent to some bogus server... – Alxandr Commented Jul 1, 2010 at 10:02
- But the website you are on would have to send your password via a script, and they theoretically already know it so that would seem pointless? – Tom Gullen Commented Jul 1, 2010 at 10:03
4 Answers
Reset to default 17Picture this :
You come on my fabulous website www.halfnakedgirls.com. You have fun watching what looks like technical documentation on human physiology, but behind your back, some lines of JavaScript are executing some request to another domain, let's say www.yourpaypallike.com.
Requests like http://www.yourpaypallike.com/account/[email protected]&amount=984654 or http://www.mymailprovider.com/mails/export?format=csv.
Do you now see why it is forbidden ? =)
Tom, it is not "Ajax request limited". AJAX is based on JavaScript. For security reason JavaScript is prohibited access on cross domains. If you really want to do cross domain Ajax, you can do a hack.
YourPage(Ajax) ----> YourServer ----> ExternalDomain
You can call a page in your server using Ajax, Your domain will call to external domain using server side , and get the result then return to you as Ajax response. Of course the request done to the ExternalDomain server will be called WITHOUT sending cookies for ExternalDomain that reside in your browser's memory. That's because the request is done by your server and not your browser.
It's for security purposes - if a website could execute AJAX calls to any domain they wanted on the client side, it poses a serious risk.
There are ways around this though - you could have your AJAX call a PHP script on the same domain, which in turn can call a script from another domain and return it. This wouldn't be using the browser as the communication medium though, it'd be using your web server.
Here is some information to satisfy your question: http://en.wikipedia.org/wiki/Same_origin_policy