Re: Ajax & web service

[Scott R. Prelewicz]

If I understand correctly, you are trying to access a service on a different
domain. As you said, for security reasons browsers don't allow this.

The way around it as by using a proxy script. Have your AJAX handler call a
script on your server, which in turn gets the data from the webservice, and
passes it back to your AJAX call.

HTH,

Scott Prelewicz
COMAND Solutions
800-598-0869 ext. 87
www.comandsolutions.com
----- Original Message -----
From: "Herb Munson" <herbm...@q.com>
To: <dev-...@lists.mozilla.org>
Sent: Wednesday, February 25, 2009 4:54 PM
Subject: Ajax & web service

> Is it possible to use js and xmlhttprequest to send an HTTP request
> directly
> to a web service?
>
>
>
> In FireFox 3.0.6, setRequestHeader("Host", "www.ecubicle.net") in my js
> code
> appears to be ignored. The rest of the process works (other headers get
> set, "send" sends, the readystatechange handler fires, and a message
> arrives) but the responseText is just error information telling me "the
> resource cannot be found". "Live HTTP Headers" makes the reason obvious;
> in
> the HTTP request message, "Host" is still "localhost". (And indeed,
> http://www.w3.org/TR/XMLHttpRequest/#setrequestheader says "For security
> reasons." setRequestHeader should abort if the header argument == "Host".)
>
>
>
> So, is this hardwired into Mozilla's setRequestHeader, and is there no way
> around it??
>
>
>
> Is there no way to tell Mozilla that it is OK to exchange messages with a
> particular domain? (BTW, I've had no better luck with IE 7.)
>
>
>
> Thanks for any help.
>
>
>
> Herb
>
>
>
> _______________________________________________
> dev-ajax mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-ajax
>

[Herb Munson]

Yes, that's what I've done (implemented a proxy). But I'd still like to
understand why I had to do that, where the process has been and where it is
going.

My confusion comes from several sources. First, an older book that seems to
see no problem at all; Are these protections new? Is someone using an old
browser able to make cross-domain GET requests?

Second, are there browser security settings that circumvent the protection?
I expected that adding a site to "trusted sites" in IE would do it, but it
did not - although the security scheme is a bit opaque to me ("This zone" -
what zone would that be?). I also got the impression that setting
signed.applets.codebase_principal_support TRUE in FF would allow me to
circumvent the problem with PrivilegeManager. Nope. At least, I couldn't
get it to work.

Third, the W3 has at least a "working draft" on ways around the problem; for
all I know someone has implemented something, somewhere. Or is about to.

Finally, if the equivalent functionality can be gained by having a proxy on
the server pass along the request, has security been preserved? If the
proxy is designed to handle only a very specific request, security is
probably not affected. But wouldn't a completely general HTTP request
handler be subject to the same problems? (Obviously I don't understand
exactly what the security risk is or I could answer this myself.)

Sorry to ask so many questions; I'm trying to understand this stuff, and
there is a lot to understand. And I'm not certainly not expecting poor
Scott to try and answer them all! Any contributions to repair my ignorance
are welcome.

Herb

-----Original Message-----
From: dev-ajax-bounces+herbmunson=q....@lists.mozilla.org
[mailto:dev-ajax-bounces+herbmunson=q....@lists.mozilla.org] On Behalf Of
dev-ajax...@lists.mozilla.org
Sent: Tuesday, March 03, 2009 12:00 PM
To: dev-...@lists.mozilla.org
Subject: dev-ajax Digest, Vol 33, Issue 1

Send dev-ajax mailing list submissions to
dev-...@lists.mozilla.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.mozilla.org/listinfo/dev-ajax
or, via email, send a message with subject or body 'help' to
dev-ajax...@lists.mozilla.org

You can reach the person managing the list at
dev-aja...@lists.mozilla.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dev-ajax digest..."

Today's Topics:

1. Re: Ajax & web service (Scott R. Prelewicz)

----------------------------------------------------------------------

Message: 1
Date: Tue, 3 Mar 2009 13:38:19 -0500
From: "Scott R. Prelewicz" <scott.p...@comandsolutions.com>
Subject: Re: Ajax & web service
To: <dev-...@lists.mozilla.org>
Message-ID: <CC0F06CD2A814B1A9B17A8C2E4D81334@ScottPC>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original

HTH,

------------------------------

_______________________________________________
dev-ajax mailing list
dev-...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-ajax

End of dev-ajax Digest, Vol 33, Issue 1
***************************************