I recently faced a requirement to support the execution of AJAX requests to sub-domains, other than the one that the current page is served from.
The advantage of this is that AJAX requests won't eat-up the two simultaneous requests limit of the browsers.
Unfortunately… :(, the results of my research are not promising:
It is not possible!
XMLHttpRequest object is denying access for executing requests against any domain or sub-domain other than the domain of the loaded page.
Cross-domain security is so tight that if you are on http://sitename.com and you call http://www.sitename.com it will deny access!
Here is what is considered to be a “cross-domain” and is thus blocked by the browsers:
- Change in port number
- Change in domains
- Change in sub-domain
- Change in protocol (http cannot call https)
I went ahead and created the very plain test scenario which utilizes the raw XMLHttpRequest object, no use of Ajax Framework, etc.
For the test to work, the following must be followed:
- Create new host entries:
- 127.0.0.1 www.aleksey.com
- 127.0.0.1 svc.aleksey.com
- Unzip the contents of the attached ZIP file
- Create a new virtual directory in IIS, called “CrossDomainTest”, pointing to the unzipped folder.
- Run the http://www.aleksey.com/CrossDomainTest/default.htm
- Unfortunately, the results are the same -> Access Denied.
The HTML page:
The Script:
The Response:
There is, however, a potential solution/hack -> iFrame:
iFrames aren't limited to pulling pages from same web server as their containing page - they can load any URL. To prevent cross-site security problems, browsers enforce the same origin policy in the javascript object model: scripts running in one frame can't access any objects inside another iframe, unless both pages came from the same server.
There's an exception to this rule, however. If both pages come from the same parent domain, and both of them set the property document.domain to the same parent domain, scripts running in either frame will be allowed to talk to each other. For example, say the page http://www.example.com/ loads the page http://ajax.example.com/ in an iframe. Since both pages are in the domain example.com, if both set document.domain to "example.com" they will be given the ability to programmatically access each other's data.
So, theoretically, we can use an iFrame with document.domain to make XMLHttpRequest connections, with two restrictions:
- The iframe must be served from the server to which you'll be making XMLHttpRequest calls.
- We have to open the XMLHttpRequest connection before you set document.domain.
Here are some of the sources of my research:
As an additional confirmation of the above results, I want to refer to some of the well-known websites which heavily utilize XMLHttpRequest objects. Their AJAX requests are executed against the same domain as the main website (i.e. www……):
Hope this saves someone the research time if they face a similar requirement.