CODEWITHSUNDEEP
ajaxxmlhttprequest
clamp
clamp

Reputation: 34006

XMLHttpRequest cross site scripting on same server but different port

using XMLHttpRequest it is not possible to open a connection to a document on a different domain than where the page itself is hosted.

but what about different ports?

for example I have a webserver running on my machine listening on port 80 so the webaddress would look like this:

http://localhost:80/mypage.html

and I have another webserver running on localhost which is meant to process the ajax requests but listens on a different port. so the javascript in mypage.html would look like this:

var xmlhttprequest = new XMLHttpRequest(); 
xmlhttp.open("GET", "http://localhost:1234/?parameters", true); 
xmlhttp.send();

would this work? or will it give a security exception as well?

Upvotes: 5

Views: 10845

Answers (2)

Zlatko
Zlatko

Reputation: 19569

This wouldn't go as it is still practically on another server (at least another server instance, which may not be under your control).

You could add a Access-Control-Allow-Origin: http://yourdomain:1234/ in headers, google for Cross-Origin Resource Sharing. It's relativelly new though, not all browsers know about this. Or you can use jQuery (read more on http://softwareas.com/cross-domain-communication-with-iframes).

Upvotes: 5

justkt
justkt

Reputation: 14766

Using a different port does indeed count as cross-site scripting.

There are several well-known ways to make a call (you can always send the data) and use the response (which is what you cannot normally do under anti-xss constraints), including JSONP and using an iframe in the page to load the data.

Upvotes: 8

Related Questions