Wednesday, September 2, 2009

Cross XHR

Cross XHR.

Normally the web application make request to the same server. Cross XHR is simply the Cross Domain XMLHttpRequest, which is used to access some other service in different port of the same server, or to any other domain/Servers. Web application technologies commonly apply same-origin restrictions to network requests. These Restrictions prevents a client-side Web application running from one origin retrieving data from another origin, and also limit the amount of unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin which is called as “Same origin policy for JavaScript.

For Example:

You are running your Website in

If you has to make an XHR for other server like the XHR.response will as follows in different Browsers.

The Code for AJAX

// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}catch (e){
//Internet Explorer
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}catch (e){
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}"POST",”” , true);

  • Internet Explorer.

Here it will you a warning that “To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for details.”. After Allowing that you can access the or any server request.

  • Mozilla Firefox & Google Chrome

No Warning or message will be shown but the response (xmlHttp.responseText)

Will be a Zero length string. It shows it stops if the request violates Browser policies.

We can summarize as follows. For a URL (







Different protocol


Different port


Different host

Now our next target is How to Achieve Cross XHR.

W3C has introduced new Specification called Cross-Origin Resource Sharing (CORS).This specification consists of a simple header exchange between client-and-server, and is used by IE8’s proprietary XDomainRequest object as well as by XMLHttpRequest in browsers such as Firefox 3.5 and Safari 4 to make cross-site requests. These browsers make it possible to make asynchronous HTTP calls within script to other domains with GET and POST requests, provided the resources being retrieved are returned with the appropriate CORS headers.

Cross-Origin Resource Sharing (CORS).

It is nothing but adding the Access Control header in the Domain which is need to be accessed using Cross Domain. For example in we need to add one header as follows for any access from Access-Control-Allow-Origin:

For more details on Access Control please look in the following links.

  1. W3C Cross Domain Documents
  2. Mozilla HTTP Access Control

Hacking Using Cross XHR.

Different Cross XHR approaches in Internet are:

  1. Create one webservice to the other website in the same Server and give to client side using the same domain name.
    1. Yes definitely now it is a server side programming, Nothing to worry about Cross XHR Javascript Policies. It will work Fine.
  2. Using IFrame which connect to other websites and render locally.Use Javascript to handle the IFrame Data.
    1. Here the issue that Javascript will not allow to connect any IFrame in the document which has the different domain Name.Hence this approach will not work.
  3. By Using FlashXmlHttprequest
    1. I have tried the example it was not working. Still the security can look at the example here
  4. Cross Domain XMLHttpRequest using an IFrame Proxy provided in the dojotoolkit. Dojotoolkit Open here
    1. I haven’t tried this, please try this and let me know.



No comments: