Reputation: 1009
document.domain and cross-site-scripting
Debugging assistance requested.
The page http://www.freshfaves.com/newfave.html contains this code:
<script>
document.domain = 'freshfaves.com';
$(document).ready(function() {
var dbUrl = 'http://freshfaves.com/';
var result = '';
$.ajax({
type: "POST",
url: dbUrl,
data: [], //params,
async: false,
dataType: "text",
success: function(d,status) { result = d; return false; },
error: function(xmlhttp,errmsg) { result = errmsg; return false; }
});
alert('result: '+result);
});
</script>
To my understanding, the XMLHttpRequest cross-site restraints are checked based on the document.domain value, and that value is set to what is both a valid suffix of the current page url, and an exact match to the site hosting the requested page.
This is a cross-site request, in that www.freshfaves.com and freshfaves.com are on different hosts. The result is an alert box displaying 'result: error'. The weblogs on the other site show that the request was not received there, so it apparently errored before the request was sent.
If I change the dbUrl to 'http://www.freshfaves.com/', the request succeeds, so the problem seems closely related to the url, and is not a bug elsewhere in the code.
Upvotes: 1
Views: 12788
Answers (2)
Reputation: 12404
This should not be possible, since basically it is a different domain name, possibly pointing to a completely different server.
EDIT: just noticed the
document.domain = 'freshfaves.com';
part. This only works to let two scripts from different (sub)domains communicate, e.g. with iframes from different subdomains. Both sides need to set this property to the same domain to communicate. Check out this link with more info on how to make this work: http://ajaxian.com/archives/how-to-make-xmlhttprequest-calls-to-another-server-in-your-domain
There is a draft from W3C that specifies how to handle cross-origin requests, which has been (partially) implemented in Firefox 3, and possibly other browsers as well: http://www.w3.org/TR/access-control/
I assume you are having trouble when people visit the site with www in front of the domain name, but some also omit the www part. This can be resolved by dynamically generating your domain name to include the www part whether it is present in the URL, or even better, make the URL a relative:
var dbUrl = '/mylocation';
Upvotes: 1
Reputation: 449613
All the examples in the available documentation on document.domain such as here for IE, here for Mozilla always have different subdomains like images.xyz.com and www.xyz.com, but I have yet to see one in which one request comes from the domain itself, i.e. xyz.com.
Can you try mapping freshfaves.com to, say, test.freshwaves.com and see whether your approach works for that?
Upvotes: 0
Related Questions
- AJAX cross site scripting between own domains
- Cross domain DOM/JS pain
- Fix cross site scripting issue
- Cross site scripting on the same domain, different sub domains
- Explicitly set document.domain on every page
- Is cross window-domain scripting possible?
- Document.domain not functioning as I'm expecting
- javascript cross-domain issue
- cross-domain javascript
- Enabling cross domain scripting in the intranet