It's puzzling to me why client side AJAX is restricted from making calls across domains, especially when it's so easy to create a server side proxy for fetching data. I'm not interested in speculation; I want to know the reasoning behind this decision from the language designers or those closely involved. Is there documentation explaining the purpose behind this restriction, other than just causing a slight inconvenience for developers?
Thank you in advance.
One important reason for having a cross domain policy is to prevent browsers from acting as reverse proxies. For example, imagine you are browsing from your office computer. Now, let's say there is an intranet at that contains sensitive information accessible only within the local network. Without the existence of a cross domain policy, www.evil.com could potentially make ajax requests to through your browser, effectively using it as a reverse proxy to obtain and send confidential information back to www.evil.com via another Ajax request.
This is likely one of the main reasons for implementing such restrictions.
When operating as the owner of myblog.com and sending an XHR to facebook.com, it is important not to include your facebook cookie credentials in the request. This could potentially lead to unauthorized access to users' private facebook information through your blog.
Instead, if you need to access facebook data, consider creating a proxy service that will not have direct access to the facebook cookies.
As for JSONP, it is generally considered safe because you are loading a script that you did not create yourself. Unless facebook's script explicitly decides to share information with your script, you will not be able to access their data.
One of the main reasons behind this limitation is related to security. Allowing JSON requests to include and handle cookies or security credentials when communicating with a different domain can pose significant security risks. This issue does not arise when using a server-side proxy, as it lacks direct access to the client's environment. There have been suggestions for implementing secure and sanitized JSON-specific request methods, but as of now, they have yet to be adopted.
Direct access and proxy servers differ in terms of handling cookies and security-related identification details that are strictly associated with a single source.
While your browser can utilize this information to access sensitive data, a proxy server lacks the user's login credentials and therefore cannot do so.
As a result, proxy servers are only suitable for accessing public data, much like Cross-Origin Resource Sharing (CORS).
Although I may not be an expert, I have my own perspective on why the server side proxy may not be the ideal solution:
document.domain of their pages.Ultimately, my biggest issue with this approach:
On revisiting your question, the essence of AJAX security boils down to:
Preventing any website from accessing your desktop or reaching sensitive servers within your organization's intranet.
Can someone assist me in stopping my carousel from auto-sliding on mobile devices only? I have attempted solutions from similar queries on this platform, but they have not worked for me. Any suggestions would be greatly appreciated. Below is an example of ...
My script: <!DOCTYPE html> <html> <head> <script> $(document).ready(function () { document.getElementById("saveForm").click(); }); </script> </head> <!--<body onload="document.getElementById('saveForm&apos ...
I am brand new to GitHub and the MEAN (mongodb, express, angular, node.js) stack. I am currently working through a book by Ethan Brown called 'Web Development with Node and Express', and he has provided a Git repository for me to clone and follow ...
I am attempting to save multi-select input using ajax in a Laravel application, but I keep encountering the following error: {message: "Function name must be a string", exception: "Error", …} Below is my Blade code: <select class= ...
I am currently working on developing a real-time chat application with various rooms as part of my project. Progress has been smooth so far, but I am facing an issue with properly fetching the most recent chat messages from the database. The message table ...
My React app is currently running on localhost:3000, while my Backend API is running on localhost:8181. To address cross-origin request issues and ensure compatibility, I have implemented an nginx reverse proxy setup for both the react app and backend API. ...
My setup involves a video element and a canvas element as seen below: <video id="video" width="640" height="480"></video> <canvas id="canvas" width="640" height="480"></canvas> The goal is to decode a PDF417 barcode from the webca ...
Currently, I am working on implementing the JQuery Draggable feature. My idea is to create a map where I can attach image Divs to it dynamically using Jquery. So far, I have been successful in adding the Divs and making them draggable around the map effici ...
When I choose an option from the dropdown list and click the submit button in the modal, the selected value is not being posted to the controller as expected. Below is my view code: <div class="form-group"> <div class="col-md-4"> ...
https://i.sstatic.net/E1DMb.png I am working with an array that has properties embedded within it. I am wondering if there is a method to separate out these properties from the array data and transform them into a distinct object containing only the prope ...
Hello, I need some assistance in creating dependent Textboxes based on Dropdown values fetched from a database using Jsp. The code provided below is working fine for one Textbox, but I am unsure how to extend it for multiple dependent Textboxes. Any help w ...
I'm currently facing an issue where every time the browser is resized, a function is triggered. This function can turn a side panel into an accordion if the screen width meets certain criteria, or it can just display as an open side panel on larger sc ...
Is it feasible to watch Youtube videos without relying on javascript and plugins, exclusively using HTML5 or a similar alternative? ...
I recently delved into the world of iOS development and find myself at a crossroads when it comes to organizing my code. Consider a straightforward Blog Reader app, requiring an API to fetch the latest posts. I've come across tutorials and code snipp ...
I am currently working on developing a Web Api using NodeJs and MongoDB. One issue I have encountered is that my await statements are not being awaited, leading to unexpected behavior in my code. Code async find_nearby_places(lng, lat, tag, maxDistanc ...
I am in the process of developing a quiz application that consists of two essential files: question.php and process.php Within question.php, the user is required to input their answer in a textbox and submit it by clicking a designated button. This input ...
Here is my JavaScript code snippet: jQuery(document).ready(function(){ const select = $('...'); //select element const input = $('...'); //input element select.change(doSomething()); input.change(doSomething()); f ...
I'm currently working on a tool that incorporates file drag and drop functionality. Strangely, this feature works perfectly in all browsers except for Chrome. Surprisingly, however, it does work in Chrome when the tool is run locally. Here is the cod ...
One of my functions is functioning properly with the alert: function RequestNext() { var xhr = getXMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4 && (xhr.status == 200 || xhr.status == 0)) { ...
<div class="videoItem"> <div class="innerVideoItem"> <a><div class="overlayBg"></div></a> <a><img class="overlayPlay"><img></a> </div> </div> <script> ...