Adding Access-Control-Allow-Origin to server for Cross domain scripting
Cross domain scripting would be such a big issue especially in year 2011, I never imagined. What I had envisioned to be a small problem turned out to be much bigger and complicated than I thought.
Let us go over the problem statement first
I have application 1 http://www.skill-guru.com making a json request to http://ww.geekevalaution.com.
While it works in IE(I was working with IE6) , it will fail in Firefox (I was using FF 3.6)
From Mozilla docs
Cross-site HTTP requests are HTTP requests for resources from a different domainthan the domain of the resource making the request. For instance, a resource loaded from Domain A (http://domaina.example) such as an HTML web page, makes a request for a resource on Domain B (http://domainb.foo), such as an image, using the
imgelement (http://domainb.foo/image.jpg). This occurs very commonly on the web today — pages load a number of resources in a cross-site manner, including CSS stylesheets, images and scripts, and other resources.
Or another example
http:/127.0.0.1:8080/myservice making call to http:/127.0.0.1:8090/myservice2
will also be not allowed in FF because even on same server and different port number , it considers it cross domain scripting.
Cross-site HTTP requests initiated from within scripts have been subject to well-known restrictions, for well-understood security reasons. For example, prior to Firefox 3.5, HTTP Requests made using the
XMLHttpRequestobject were subject to the same-origin policy. In particular, this meant that a web application usingXMLHttpRequestcould onlymake HTTP requests to the domain it was loaded from, and not to other domains. Developers expressed the desire to safely evolve capabilities such as<a rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest">XMLHttpRequest</a>to make cross-site requests, for better, safer mash-ups within web applications
What will happen when you make a request, and observer in Firebug with FF, you could that the response is blank
The headers would look something like
| Host | 127.0.0.1:8080 |
| User-Agent | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 AlexaToolbar/alxf-1.54 Firefox/3.6.13 |
| Accept | text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 |
| Accept-Language | en-us,en;q=0.5 |
| Accept-Encoding | gzip,deflate |
| Accept-Charset | ISO-8859-1,utf-8;q=0.7,*;q=0.7 |
| Keep-Alive | 115 |
| Connection | keep-alive |
| Referer | http://www.skill-guru.com/Callservice |
| Origin | http://www.skill-guru.com |
How do we fix cross domain scripting issue ?
The simple solution is to allow the server to which request is being made to server request to any domain or to a list of domains. The important thing to remember is that the changes are to be made in the server which is serving the web service.
There are multiple ways to do it
1. You change settings in your apache’s httpd-vhosts.conf file ( I am using Apache 2.2 )
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.com
DocumentRoot “C:/apache-tomcat-6.0.29/webapps/myApplication”
ServerName skill-guru.com
ErrorLog “logs/skg1-error.log”
CustomLog “logs/skg1-access.log” common
Header set Access-Control-Allow-Origin “*”
<Directory “C:/apache-tomcat-6.0.29/webapps/myApplication”>
Options -Indexes FollowSymLinks
AllowOverride AuthConfig FileInfo
Order allow,deny
Allow from all
</Directory>JkUnmount /*.jsp ajp13
</VirtualHost>
Now after you set the value in apache server and look at the header and would see
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
which essentially means your web service application’s server is serving request to any caller. In the next post I have talked about Cross domain scripting solution in Tomcat
Http Access Control – Mozilla Docs
Server Side Access Control – Mozilla Docs
