The way around it as by using a proxy script. Have your AJAX handler call a
script on your server, which in turn gets the data from the webservice, and
passes it back to your AJAX call.
HTH,
Scott Prelewicz
COMAND Solutions
800-598-0869 ext. 87
www.comandsolutions.com
----- Original Message -----
From: "Herb Munson" <herbm...@q.com>
To: <dev-...@lists.mozilla.org>
Sent: Wednesday, February 25, 2009 4:54 PM
Subject: Ajax & web service
> Is it possible to use js and xmlhttprequest to send an HTTP request
> directly
> to a web service?
>
>
>
> In FireFox 3.0.6, setRequestHeader("Host", "www.ecubicle.net") in my js
> code
> appears to be ignored. The rest of the process works (other headers get
> set, "send" sends, the readystatechange handler fires, and a message
> arrives) but the responseText is just error information telling me "the
> resource cannot be found". "Live HTTP Headers" makes the reason obvious;
> in
> the HTTP request message, "Host" is still "localhost". (And indeed,
> http://www.w3.org/TR/XMLHttpRequest/#setrequestheader says "For security
> reasons." setRequestHeader should abort if the header argument == "Host".)
>
>
>
> So, is this hardwired into Mozilla's setRequestHeader, and is there no way
> around it??
>
>
>
> Is there no way to tell Mozilla that it is OK to exchange messages with a
> particular domain? (BTW, I've had no better luck with IE 7.)
>
>
>
> Thanks for any help.
>
>
>
> Herb
>
>
>
> _______________________________________________
> dev-ajax mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-ajax
>
My confusion comes from several sources. First, an older book that seems to
see no problem at all; Are these protections new? Is someone using an old
browser able to make cross-domain GET requests?
Second, are there browser security settings that circumvent the protection?
I expected that adding a site to "trusted sites" in IE would do it, but it
did not - although the security scheme is a bit opaque to me ("This zone" -
what zone would that be?). I also got the impression that setting
signed.applets.codebase_principal_support TRUE in FF would allow me to
circumvent the problem with PrivilegeManager. Nope. At least, I couldn't
get it to work.
Third, the W3 has at least a "working draft" on ways around the problem; for
all I know someone has implemented something, somewhere. Or is about to.
Finally, if the equivalent functionality can be gained by having a proxy on
the server pass along the request, has security been preserved? If the
proxy is designed to handle only a very specific request, security is
probably not affected. But wouldn't a completely general HTTP request
handler be subject to the same problems? (Obviously I don't understand
exactly what the security risk is or I could answer this myself.)
Sorry to ask so many questions; I'm trying to understand this stuff, and
there is a lot to understand. And I'm not certainly not expecting poor
Scott to try and answer them all! Any contributions to repair my ignorance
are welcome.
Herb
-----Original Message-----
From: dev-ajax-bounces+herbmunson=q....@lists.mozilla.org
[mailto:dev-ajax-bounces+herbmunson=q....@lists.mozilla.org] On Behalf Of
dev-ajax...@lists.mozilla.org
Sent: Tuesday, March 03, 2009 12:00 PM
To: dev-...@lists.mozilla.org
Subject: dev-ajax Digest, Vol 33, Issue 1
Send dev-ajax mailing list submissions to
dev-...@lists.mozilla.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.mozilla.org/listinfo/dev-ajax
or, via email, send a message with subject or body 'help' to
dev-ajax...@lists.mozilla.org
You can reach the person managing the list at
dev-aja...@lists.mozilla.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dev-ajax digest..."
Today's Topics:
1. Re: Ajax & web service (Scott R. Prelewicz)
----------------------------------------------------------------------
Message: 1
Date: Tue, 3 Mar 2009 13:38:19 -0500
From: "Scott R. Prelewicz" <scott.p...@comandsolutions.com>
Subject: Re: Ajax & web service
To: <dev-...@lists.mozilla.org>
Message-ID: <CC0F06CD2A814B1A9B17A8C2E4D81334@ScottPC>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
HTH,
------------------------------
_______________________________________________
dev-ajax mailing list
dev-...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-ajax
End of dev-ajax Digest, Vol 33, Issue 1
***************************************