Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Re: Ajax & web service

Skip to first unread message

Scott R. Prelewicz

Mar 3, 2009, 1:38:19 PM3/3/09
If I understand correctly, you are trying to access a service on a different
domain. As you said, for security reasons browsers don't allow this.

The way around it as by using a proxy script. Have your AJAX handler call a
script on your server, which in turn gets the data from the webservice, and
passes it back to your AJAX call.


Scott Prelewicz
COMAND Solutions
800-598-0869 ext. 87
----- Original Message -----
From: "Herb Munson" <>
To: <>
Sent: Wednesday, February 25, 2009 4:54 PM
Subject: Ajax & web service

> Is it possible to use js and xmlhttprequest to send an HTTP request
> directly
> to a web service?
> In FireFox 3.0.6, setRequestHeader("Host", "") in my js
> code
> appears to be ignored. The rest of the process works (other headers get
> set, "send" sends, the readystatechange handler fires, and a message
> arrives) but the responseText is just error information telling me "the
> resource cannot be found". "Live HTTP Headers" makes the reason obvious;
> in
> the HTTP request message, "Host" is still "localhost". (And indeed,
> says "For security
> reasons." setRequestHeader should abort if the header argument == "Host".)
> So, is this hardwired into Mozilla's setRequestHeader, and is there no way
> around it??
> Is there no way to tell Mozilla that it is OK to exchange messages with a
> particular domain? (BTW, I've had no better luck with IE 7.)
> Thanks for any help.
> Herb
> _______________________________________________
> dev-ajax mailing list

Herb Munson

Mar 3, 2009, 4:07:59 PM3/3/09
Yes, that's what I've done (implemented a proxy). But I'd still like to
understand why I had to do that, where the process has been and where it is

My confusion comes from several sources. First, an older book that seems to
see no problem at all; Are these protections new? Is someone using an old
browser able to make cross-domain GET requests?

Second, are there browser security settings that circumvent the protection?
I expected that adding a site to "trusted sites" in IE would do it, but it
did not - although the security scheme is a bit opaque to me ("This zone" -
what zone would that be?). I also got the impression that setting
signed.applets.codebase_principal_support TRUE in FF would allow me to
circumvent the problem with PrivilegeManager. Nope. At least, I couldn't
get it to work.

Third, the W3 has at least a "working draft" on ways around the problem; for
all I know someone has implemented something, somewhere. Or is about to.

Finally, if the equivalent functionality can be gained by having a proxy on
the server pass along the request, has security been preserved? If the
proxy is designed to handle only a very specific request, security is
probably not affected. But wouldn't a completely general HTTP request
handler be subject to the same problems? (Obviously I don't understand
exactly what the security risk is or I could answer this myself.)

Sorry to ask so many questions; I'm trying to understand this stuff, and
there is a lot to understand. And I'm not certainly not expecting poor
Scott to try and answer them all! Any contributions to repair my ignorance
are welcome.


-----Original Message-----
[] On Behalf Of
Sent: Tuesday, March 03, 2009 12:00 PM
Subject: dev-ajax Digest, Vol 33, Issue 1

Send dev-ajax mailing list submissions to

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to

You can reach the person managing the list at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dev-ajax digest..."

Today's Topics:

1. Re: Ajax & web service (Scott R. Prelewicz)


Message: 1
Date: Tue, 3 Mar 2009 13:38:19 -0500
From: "Scott R. Prelewicz" <>
Subject: Re: Ajax & web service
To: <>
Message-ID: <CC0F06CD2A814B1A9B17A8C2E4D81334@ScottPC>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";



dev-ajax mailing list

End of dev-ajax Digest, Vol 33, Issue 1

0 new messages