Cross-domain AJAX requests

2005-11-07 20:56:00

I got an e-mail last week from a developer who is trying to do something kind of interesting with AJAX and a networked application:

I have a WebSphere application running on my local machine. I can't do some of the data validation myself so I have to connect to another server (it is on the same domain but sitting on the different box) to get that information. Basically, I am trying to grab some content out of that html page using AJAX and use that information to render my own page (like screen scraping). Does the AJAX approach work in this case?

I can't seem to make this to work because my application and the other application are running on different boxes.

Interesting, because networked Web applications speaking REST/SOAP over HTTP are ideal for tying together disparate pieces of infrastructure, as Peter Yared (ActiveGrid) explains very eloquently in his "Big Muffin in a Donut World" post (as well as his more forward-looking thoughts on the future direction of programming languages). These posts are fairly old, but still do a pretty good job of explaining the benefit of HTTP and scripting languages as infrastructural glue.

At first blush then, AJAX would seem to be just another step in that same direction, with AJAX HTTP requests allowing the browser to tie together data from various assets on the network.

However, you still have all your commonesense paranoia to consider when giving this kind of power to a client app -- naturally the ability to make arbitrary HTTP requests in a programmatic way with JavaScript has a lot of potential for misuse. So the browser sensibly disallows making requests with XMLHttpRequest to a different domain (actually any different machine name, even on the same subdomain) from the one from which the current page was served.

Of course security considerations are all relative, and what might be a perfectly sensible level of paranoia in an open networking environment might be irritating overkill for developers trying to cobble together a useful solution somewhere where they control the entire network.

A simple solution to this cross-domain request problem is to use a server-side proxy script on the originating server to relay AJAX requests to other servers.

I replied to the e-mail with a very quick example of a PHP proxy script which uses the PEAR module HTTP_Request:

require_once "HTTP/Request.php";

$url = $_REQUEST['url'];
$req =& new HTTP_Request($url);

if (!PEAR::isError($req->sendRequest())) {
    print $req->getResponseBody();

The URL to be requested -- along with its query string -- is passed along as a (URL-encoded) variable called "url." The script simply relays the AJAX request, and prints out whatever it gets back from the other server.

It's quite a simple little script, and only handles basic GET requests. But it would be pretty easy to add whatever other stuff you need -- POST support, authentication tokens, other goodies -- to allow it to handle all the different sorts of requests you need.

It's admittedly irritating to have to push work back onto the server, but the server's not doing much here. And since the requests still happen asynchronously, and originate on the client, the user experience is still very much an AJAXey one.


bobby (2005-11-10)
Synchronicity: http://www.xml.com/pub/a/2005/11/09/fixing-ajax-xmlhttprequest-considered-harmful.html?CMP=OTC-TY3388567169


This is the blog for Matthew Eernisse. I currently work at Yammer as a developer, working mostly with JavaScript. All opinions expressed here are my own, not my employer's.


Previous posts

All previous posts ยป

This blog is a GeddyJS application.