Adding Access-Control-Allow-Origin to server for Cross domain scripting

Cross domain scripting would be such a big issue especially in year 2011, I never imagined. What I had envisioned to be a small problem turned out to be much bigger and complicated than I thought.

Let us go over the problem statement first

I have application 1 making a json request to

While it works in IE(I was working with IE6) , it will fail in Firefox (I was using FF 3.6)

From Mozilla docs

Cross-site HTTP requests are HTTP requests for resources from a different domainthan the domain of the resource making the request.  For instance, a resource loaded from Domain A (http://domaina.example) such as an HTML web page, makes a request for a resource on Domain B (, such as an image, using the imgelement (  This occurs very commonly on the web today — pages load a number of resources in a cross-site manner, including CSS stylesheets, images and scripts, and other resources.

Or another example

http:/  making call to http:/

will also be not allowed in FF because even on same server and different port number , it considers it cross domain scripting.

Cross-site HTTP requests initiated from within scripts have been subject to well-known restrictions, for well-understood security reasons.  For example, prior to Firefox 3.5, HTTP Requests made using the XMLHttpRequest object were subject to the same-origin policy.  In particular, this meant that a web application using XMLHttpRequest could onlymake HTTP requests to the domain it was loaded from, and not to other domains.  Developers expressed the desire to safely evolve capabilities such as <a rel="internal" href="">XMLHttpRequest</a> to make cross-site requests, for better, safer mash-ups within web applications

What will happen when you make a request, and observer in Firebug with FF, you could that the response is blank

The headers would look something like

User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20101203 AlexaToolbar/alxf-1.54 Firefox/3.6.13
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive

How do we fix cross domain scripting issue ?

The simple solution is to allow the server to which request is being made to server request to any domain or to a list of domains. The important thing to remember is that the changes are to be made in the server which is serving the  web service.

There are multiple ways to do it

1.  You change settings in your apache’s  httpd-vhosts.conf file ( I am using Apache 2.2 )

<VirtualHost *:80>
DocumentRoot “C:/apache-tomcat-6.0.29/webapps/myApplication”
ErrorLog “logs/skg1-error.log”
CustomLog “logs/skg1-access.log” common

Header set Access-Control-Allow-Origin “*”

<Directory “C:/apache-tomcat-6.0.29/webapps/myApplication”>
Options -Indexes FollowSymLinks
AllowOverride AuthConfig FileInfo
Order allow,deny
Allow from all

JkUnmount /*.jsp ajp13


Now after you set the value in apache server and look at the header and would see
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml

which essentially means your web service application’s server is serving request to any caller. In the next post I have talked about Cross domain scripting solution in Tomcat

Http Access Control – Mozilla Docs

Server Side Access Control – Mozilla Docs





电子邮件地址不会被公开。 必填项已用*标注