Ajax.Query and cross-site AJAX requests?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Ajax.Query and cross-site AJAX requests?

xwiki.mexon
Hi,

I want one of my pages to make a post to another site and insert the
results into its page.  Right now I've got a JavaScriptExtension that
looks like:

function doquery() {
     new Ajax.Request('http://mat.exon.name/test.php', {
         method:'post',
         parameters:{
             'arg' : document.getElementById('thearg').value,
         },
     });
     return false;
}

I find that this does an OPTIONS request, but not the intended POST.  If
I change the URL to a local page, the POST goes through as intended.  Am
I tripping up over some kind of XSS defense, and is there some way to
turn it off?

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Ajax.Query and cross-site AJAX requests?

Jérôme Velociter
Hi,

Indeed you are hitting the standard "same origin policy".

You have 3 possibilities to circumvent it :

* With JSONP requests - if the server supports them, and only for GET
requests [1]
* With CORS/pre-flight requests - if the server support them [2]
* With a proxy (for example a page on your wiki) that does the URL GET
or POST, and you hit the proxy with your Ajax requests.

Hope this helps,
Jerome

[1] http://en.wikipedia.org/wiki/JSONP
[2] http://en.wikipedia.org/wiki/Cross-origin_resource_sharing


Le 26/01/13 05:03, [hidden email] a écrit :

> Hi,
>
> I want one of my pages to make a post to another site and insert the
> results into its page.  Right now I've got a JavaScriptExtension that
> looks like:
>
> function doquery() {
>     new Ajax.Request('http://mat.exon.name/test.php', {
>         method:'post',
>         parameters:{
>             'arg' : document.getElementById('thearg').value,
>         },
>     });
>     return false;
> }
>
> I find that this does an OPTIONS request, but not the intended POST.  
> If I change the URL to a local page, the POST goes through as
> intended.  Am I tripping up over some kind of XSS defense, and is
> there some way to turn it off?
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Ajax.Query and cross-site AJAX requests?

xwiki.mexon
Yeah, I guess that makes sense.  Thanks for the suggestions.  In fact I
should be able to bring all my services under one domain so I'll just do
that.  It was a misguided attempt to improve security by keeping my
servers separate that brought me here in the first place!

On 2013-01-26 23:51 , Jerome Velociter - [hidden email] wrote:

> Hi,
>
> Indeed you are hitting the standard "same origin policy".
>
> You have 3 possibilities to circumvent it :
>
> * With JSONP requests - if the server supports them, and only for GET
> requests [1]
> * With CORS/pre-flight requests - if the server support them [2]
> * With a proxy (for example a page on your wiki) that does the URL GET
> or POST, and you hit the proxy with your Ajax requests.
>
> Hope this helps,
> Jerome
>
> [1] http://en.wikipedia.org/wiki/JSONP
> [2] http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
>
>
> Le 26/01/13 05:03, [hidden email] a écrit :
>> Hi,
>>
>> I want one of my pages to make a post to another site and insert the
>> results into its page.  Right now I've got a JavaScriptExtension that
>> looks like:
>>
>> function doquery() {
>>     new Ajax.Request('http://mat.exon.name/test.php', {
>>         method:'post',
>>         parameters:{
>>             'arg' : document.getElementById('thearg').value,
>>         },
>>     });
>>     return false;
>> }
>>
>> I find that this does an OPTIONS request, but not the intended POST.  
>> If I change the URL to a local page, the POST goes through as
>> intended.  Am I tripping up over some kind of XSS defense, and is
>> there some way to turn it off?
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> http://lists.xwiki.org/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>


_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users