Skip to main content

HTML5 XmlHttpRequest 2 - Cross origin request

HTML5 specification has introduced a few enhancements for XmlHttpRequest object and one of them is the ability to make cross-origin request. That is, a host can send a XmlHttpRequest request to another host and receive a response in return. On the server-side, a check can be made to see whether the request can be accepted from the given origin. In this post I'll try to explain how this can be done using ColdFusion.

Client side:

On the client side, a XmlHttpRequest object is created and then a GET request is made to the remote server.

 var client = new XMLHttpRequest();  
client.onreadystatechange = readyStateChangeHandler;  
client.open("GET","http://{remote-address}/{path-to-file}.cfm",true);  
client.send();

For example, say example.com wants to get a response from another domain say abc.com, then as observed from the above code the request would look like:


client.open("GET","http://abc.com/dir1/foo.cfm",true);

Server side:

When a request is sent to the server, the request header would contain a key ORIGIN whose value will be the domain name from which the request was made. In this case the value would be example.com. The server side code can then perform a check to see whether the request origin belongs to the list of origins from which the request can be accepted.

 <cfif structKeyExists(getHTTPRequestData().headers,"origin") >   
    <cfset origin = getHTTPRequestData().headers.origin />   
    <cfif origin eq "http://example.com">   
      <cfheader name="Access-Control-Allow-Origin"   
         value="http://example.com">   
      <cfoutput>#timeFormat(now(),"medium")#</cfoutput>   
    </cfif>   
 </cfif>
As seen from the above code, the response header ACCESS-CONTROL-ALLOW-ORIGIN is set to allow cross-origin requests from example.com. This now enables requests from example.com to be served from abc.com. 
Labels:

Comments

  1. UnknownApril 19, 2011 at 3:41 AM

    Very cool - so you would only get a security error after the response has come back (if there is not access-control header). I like it. I think cross-domain stuff can actually be pretty useful, especially with the amount of AJAX that applications depend on these days.

    ReplyDelete
  2. Sagar GanatraApril 19, 2011 at 10:45 AM

    @Ben,

    You're right, if the response header doesn't contain the flag with the correct value, then a security error would be raised.

    ReplyDelete
  3. eapApril 21, 2011 at 9:21 PM

    Does this work across all browsers and versions and particularly what is the earliest version of IE that supports this?

    ReplyDelete
  4. Sagar GanatraApril 22, 2011 at 10:35 PM

    @eap,

    I have tested this on Chrome and I think Firefox supports it. On IE 9, I guess the support for XHR 2 is still not available.

    ReplyDelete
  5. web design PerthMarch 20, 2012 at 7:39 AM

    I have to agree with Ben, it's so useful that I'll try it on my site. Thank you very much for sharing.

    ReplyDelete

Post a Comment

Popular posts from this blog

File upload and Progress events with HTML5 XmlHttpRequest Level 2

The XmlHttpRequest Level 2 specification adds several enhancements to the XmlHttpRequest object. Last week I had blogged about cross-origin-requests and how it is different from Flash\Silverlight's approach .  With Level 2 specification one can upload the file to the server by passing the file object to the send method. In this post I'll try to explore uploading file using XmlHttpRequest 2 in conjunction with the progress events. I'll also provide a description on the new HTML5 tag -  progress which can be updated while the file is being uploaded to the server. And of course, some ColdFusion code that will show how the file is accepted and stored on the server directory.
18 comments
Read more

How to use the APP_INITIALIZER token to hook into the Angular bootstrap process

I've been building applications using Angular as a framework of choice for more than a year and this post is not about another React vs Angular or the quirks of each framework. Honestly, I like Angular and every day I discover something new which makes development easier and makes me look like a guy who built something very complex in a matter of hours which would've taken a long time to put the correct architecture in place if I had chosen a different framework. The first thing that I learned in Angular is the use of the APP_INITIALIZER token.
Post a Comment
Read more

On GraphQL and building an application using React Apollo

When I visualize building an application, I would think of using React and Redux on the front-end which talks to a set of RESTful services built with Node and Hapi (or Express). However, over a period of time, I've realized that this approach does not scale well when you add new features to the front-end. For example, consider a page that displays user information along with courses that a user has enrolled in. At a later point, you decide to add a section that displays popular book titles that one can view and purchase. If every entity is considered as a microservice then to get data from three different microservices would require three http  requests to be sent by the front-end app. The performance of the app would degrade with the increase in the number of http requests. I read about GraphQL and knew that it is an ideal way of building an app and I need not look forward to anything else. The GraphQL layer can be viewed as a facade which sits on top of your RESTful services o...
Post a Comment
Read more