Skip to main content

HTML5 XmlHttpRequest 2 - Cross origin request

HTML5 specification has introduced a few enhancements for XmlHttpRequest object and one of them is the ability to make cross-origin request. That is, a host can send a XmlHttpRequest request to another host and receive a response in return. On the server-side, a check can be made to see whether the request can be accepted from the given origin. In this post I'll try to explain how this can be done using ColdFusion.

Client side:

On the client side, a XmlHttpRequest object is created and then a GET request is made to the remote server.

 var client = new XMLHttpRequest();  
client.onreadystatechange = readyStateChangeHandler;  
client.open("GET","http://{remote-address}/{path-to-file}.cfm",true);  
client.send();       

For example, say example.com wants to get a response from another domain say abc.com, then as observed from the above code the request would look like:


client.open("GET","http://abc.com/dir1/foo.cfm",true);  

Server side:

When a request is sent to the server, the request header would contain a key ORIGIN whose value will be the domain name from which the request was made. In this case the value would be example.com. The server side code can then perform a check to see whether the request origin belongs to the list of origins from which the request can be accepted.

 <cfif structKeyExists(getHTTPRequestData().headers,"origin") >   
    <cfset origin = getHTTPRequestData().headers.origin />   
    <cfif origin eq "http://example.com">   
      <cfheader name="Access-Control-Allow-Origin"   
         value="http://example.com">   
      <cfoutput>#timeFormat(now(),"medium")#</cfoutput>   
    </cfif>   
 </cfif>   
As seen from the above code, the response header ACCESS-CONTROL-ALLOW-ORIGIN is set to allow cross-origin requests from example.com. This now enables requests from example.com to be served from abc.com. 



Comments

  1. Very cool - so you would only get a security error after the response has come back (if there is not access-control header). I like it. I think cross-domain stuff can actually be pretty useful, especially with the amount of AJAX that applications depend on these days.

    ReplyDelete
  2. @Ben,

    You're right, if the response header doesn't contain the flag with the correct value, then a security error would be raised.

    ReplyDelete
  3. Does this work across all browsers and versions and particularly what is the earliest version of IE that supports this?

    ReplyDelete
  4. @eap,

    I have tested this on Chrome and I think Firefox supports it. On IE 9, I guess the support for XHR 2 is still not available.

    ReplyDelete
  5. I have to agree with Ben, it's so useful that I'll try it on my site. Thank you very much for sharing.

    ReplyDelete
  6. We are an Allassignmenthelp provider. Our online mission is one of assignment by high demand with other countries in the United States and gives us a chance to help. Cheap Instant Assignment Help

    ReplyDelete

Post a Comment

Popular posts from this blog

A cheat sheet of keyboard shortcuts in ColdFusion Builder

In my last post I have explained about keyboard shortcuts in ColdFusion Builder 2.0. This blog post contains a list of all shortcut keys and I have listed these keyboard shortcuts based on the categories that it falls into. Well, this post was not planned since users can easily get to know the keyboard shortcuts by navigating to the preferences (ColdFusion -> Profiles -> Keys). However, I met Joshua at Scotch on the rocks in Edinburgh and he suggested that it would be nice to have the list of keyboard shortcuts handy. So this post is for those who would like to have the list with them and refer it whenever required.


Keyboard shortcuts for inserting text:

These are the keyboard shortcuts which are used to insert some text into the editor:

CommandKeyboard shortcuts on WindowsKeyboard shortcuts on MacInsert anchor tagCTRL + T, LCMD + T, LInsert bold tagCTRL + T, BCMD + T, BInsert br tagCTRL + T, RCMD + T, RInsert cfabortCTRL + T, ACMD + T, AInsert cfdumpCTRL + T, DCMD + T, DInsert cfs…

Custom validation messages for HTML5 Input elements using the constraint validation API

HTML5 has introduced several input types such as EMAIL, URL, RANGE, SEARCH, DATE, TIME, etc,. Most of the modern browsers have implemented them and are ready to be used in a HTML document. Another exciting feature introduced in HTML5 is the form validation. Instead of writing JavaScript to validate users input, browsers can now validate it and show an appropriate message if the validation fails. The validation message is shown in line with the field for which the validation has failed. The default error message is shown when the validation fails. In this post I'll explain how these error messages can be changed.

De-obfuscating javascript code in Chrome Developer Tools

I had blogged about JavaScript debugging with Chrome Developer Tools some time back, wherein I have explained how these developer tools can help in debugging javascript code. Today Google Chrome 12 was released and my Chrome browser was updated to this version. As with every release, there have been some improvements made on performance, usability etc,. One feature that stood out for me is the ability to De-obfuscate the javascript code.

What is Minification?

Minification is the process of removing unnecessary characters such as white spaces, comments, new lines from the source code. These otherwise would be added to make the code more readable. Minifying the source code helps in reducing the file size and thereby reducing the time taken to download the file. This is the reason why most of the popular javascript libraries such as jQuery are minified. A minified jQuery file is of 31 KB in size where as an uncompressed one is about 229 KB. Unfortunately, debugging minified javascript file…