SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2010
    0 Post(s)
    0 Thread(s)

    Disable cross domain requests


    A loyal user recently made a non-malicious JS script on his web site that performs an AJAX request to one of my scripts on my web server (cross-domain). He noticed that this request went through and was performed successfully and brought this to my attention.

    How might I go about disabling cross-domain AJAX requests? I thought this wasn't possible by default, but I guess I am mistaken.

    Thanks in advanced.

  2. #2
    Under Construction silver trophybronze trophy AussieJohn's Avatar
    Join Date
    Sep 2005
    Sydney, Australia
    11 Post(s)
    0 Thread(s)
    Quote Originally Posted by Panduola View Post
    AJAX request to one of my scripts on my web server
    It's "legal" to make a request to another JavaScript file cross domain. While you could call it "AJAX" it's more in the order of "I'm downloading a file from someone's server and looking inside at the contents".

    JavaScript files are simply publicly accessible files, so can be requested as a file and executed in the client it was requested in.

    In a nutshell, true cross domain AJAX requests occurs when someone attempts to retrieve data from a webservice (or similar) from a JavaScript that is not on the same domain. Normally this is something that fails because of Same-Origin Policy, and a technique called JSONP needs to be used on both sides to facilitate communication.

    While Same-Origin Policy isn't foolproof, it helps reject a fair number of requests; If you really want to be super safe and make sure only scripts on your site are allowed to make AJAX requests you could implement a token system similar to the way Wordpress does it with Nonces (Wikipedia page on Nonces)
    var details = {
    . . web: "",
    . . photos: "",
    . . psa: ""


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts