XMLHttp Request - Cross-domain Requests

Cross-domain Requests

In the early development of the World Wide Web, it was found possible to breach users' security by the use of JavaScript to exchange information from one web site with that from another less reputable one. All modern browsers therefore implement a same origin policy that prevents many such attacks, such as cross-site scripting. XMLHttpRequest data is subject to this security policy, but sometimes web developers want intentionally to circumvent its restrictions. This is sometimes due to the legitimate use of subdomains as, for example, making an XMLHttpRequest from a page created by foo.example.com for information from bar.example.com will normally fail.

Various alternatives exist to circumvent this security feature, including using JSONP, Cross-Origin Resource Sharing or alternatives with plugins such as Flash or Silverlight. XMLHttpRequest Level 2 also includes a feature to communicate with other domains. This is implemented in Firefox 3.5, Google Chrome, and Safari 4. Internet Explorer 8 has the non-standard XDomainRequest, which can do a similar thing.

Headers added to a server's HTTP response headers can allow cross-domain requests to succeed. For example, Access-Control-Allow-Origin: *, can allow all domains to access a server. Access-Control-Allow-Origin can be used in all browsers that support cross-domain requests, which includes Internet Explorer 8. The W3C's specification is defined in Cross-Origin Resource Sharing. When the request succeeds, a status 200 (OK) is returned; however, errors from cross-domain requests will not be identified and the status will always be zero.