cross site ajax using proxy not working

Question

I am trying to do cross site ajax using tinyproxy as a reverse proxy. Here is the setup:

• A desktop system running gentoo linux. Ip address is x.x.x.x. Boa (web server, port 80) and tinyproxy (http proxy, port 8888) is running on this system.

Here are the test files:

======= a.html ======

<html>
  <head>
    <meta charset="UTF-8" />
    <title>Ajax test</title>
  </head>
  <body>
    <script type="text/javascript" src="http://code.jquery.com/jquery-latest.js"></script>
    <script type="text/javascript" src="a.js"></script>
  </body>
</html>

======= a.js ========

$(document).ready( function() {

    function error_func()
    {
        alert("error occurred");
    }

    function ajax_func(data)
    {
        alert("ajax received");
    }

    $.get("http://x.x.x.x:8888/outside/xyz.txt", ajax_func).error(error_func);

});

I have configured tinyproxy so that http://x.x.x.x:8888/outside/ will go to http://www.outside.com/. I control that domain and I have placed a text file there, xyz.txt, with the "test string" in it.

Now, when I put the following url into firefox: x.x.x.x:8888/xyz.txt, everything works and I see the "test string" displayed in the browser window. But when I put x.x.x.x/a.html into firefox, I get the "error occurred" dialog box. I have tried this on IE, Safari, Firefox, and Chrome and I get the "error occurred" dialog in all of them.

Please note that I am aware of the "same origin policy", that's why I am using tinyproxy to get around that limitation.

I used wireshark on the gentoo linux machine to watch the traffic. Everything looks ok. I see an HTTP transaction between firefox and x.x.x.x, then I see an HTTP transaction between x.x.x.x and "outside" and finally another HTTP transaction between x.x.x.x and firefox. The HTTP 200 OK includes the "test string" as expected. But still, jquery isn't happy and I don't get the "ajax received" dialog box...

One thing I am suspecting is the HTTP "Server" header. The x.x.x.x system says "Server: Boa", but the final response has "Server: Apache". Would I be violating the same origin policy because of this difference?

Answer 1

About a month ago, I asked almost the same question. You can find the answer here: Cross protocol cookie iFrame

Answer 2

Ajax communications must be made under these three conditions:

1. Same host
2. Same protocol
3. Same port

So technically you can't use an Ajax call when communicating between different ports, BUT there's a simple solution. You can ignore the prestated conditions if you define an Access-Control-Allow-Origin header allowing you to gain access from another host/protocol/port.

You'll have to make sure that your webpage is allowed access to your proxy via the correct header(s).

For more information I suggest you read this: https://developer.mozilla.org/en-US/docs/HTTP_access_control

Answer 3

The same origin policy restricts access to the:

• same host
• same protocol
• same port

The same origin policy applies also to your case because you try to access x.x.x.x:8888 from x.x.x.x:80.

you need to deliver the content also over the same port.