[xwiki-users] Ajax.Query and cross-site AJAX requests?
Hi, I want one of my pages to make a post to another site and insert the results into its page. Right now I've got a JavaScriptExtension that looks like: function doquery() { new Ajax.Request('http://mat.exon.name/test.php', { method:'post', parameters:{ 'arg' : document.getElementById('thearg').value, }, }); return false; } I find that this does an OPTIONS request, but not the intended POST. If I change the URL to a local page, the POST goes through as intended. Am I tripping up over some kind of XSS defense, and is there some way to turn it off?
Hi, Indeed you are hitting the standard "same origin policy". You have 3 possibilities to circumvent it : * With JSONP requests - if the server supports them, and only for GET requests [1] * With CORS/pre-flight requests - if the server support them [2] * With a proxy (for example a page on your wiki) that does the URL GET or POST, and you hit the proxy with your Ajax requests. Hope this helps, Jerome [1] http://en.wikipedia.org/wiki/JSONP [2] http://en.wikipedia.org/wiki/Cross-origin_resource_sharing Le 26/01/13 05:03, [email protected] a écrit :
Hi,
I want one of my pages to make a post to another site and insert the results into its page. Right now I've got a JavaScriptExtension that looks like:
function doquery() { new Ajax.Request('http://mat.exon.name/test.php', { method:'post', parameters:{ 'arg' : document.getElementById('thearg').value, }, }); return false; }
I find that this does an OPTIONS request, but not the intended POST. If I change the URL to a local page, the POST goes through as intended. Am I tripping up over some kind of XSS defense, and is there some way to turn it off?
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
Yeah, I guess that makes sense. Thanks for the suggestions. In fact I should be able to bring all my services under one domain so I'll just do that. It was a misguided attempt to improve security by keeping my servers separate that brought me here in the first place! On 2013-01-26 23:51 , Jerome Velociter - [email protected] wrote:
Hi,
Indeed you are hitting the standard "same origin policy".
You have 3 possibilities to circumvent it :
* With JSONP requests - if the server supports them, and only for GET requests [1] * With CORS/pre-flight requests - if the server support them [2] * With a proxy (for example a page on your wiki) that does the URL GET or POST, and you hit the proxy with your Ajax requests.
Hope this helps, Jerome
[1] http://en.wikipedia.org/wiki/JSONP [2] http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Le 26/01/13 05:03, [email protected] a écrit :
Hi,
I want one of my pages to make a post to another site and insert the results into its page. Right now I've got a JavaScriptExtension that looks like:
function doquery() { new Ajax.Request('http://mat.exon.name/test.php', { method:'post', parameters:{ 'arg' : document.getElementById('thearg').value, }, }); return false; }
I find that this does an OPTIONS request, but not the intended POST. If I change the URL to a local page, the POST goes through as intended. Am I tripping up over some kind of XSS defense, and is there some way to turn it off?
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
participants (2)
-
Jerome Velociter -
xwiki.mexon@spamgourmet.com