Understand cross domain stuff and AJAX

1
votes

I am a bit confused about 2 things related to cross domain stuff.

Say I have 2 domains; mydomain.com and otherdomain.com

Now on mydomain.com, what all are the allowed things that can be accessed from otherdomain.com ? I mean can we have 

<img src="otherdomain.com/xyz.jpg">

Similarly can we directly use otherdomain.com in iframe src ? What all are allowed by default? What can be done to prevent access from otherdomain.com's perespective ?

2nd part is related to JavaScript/AJAX. Is otherdomain stuff blocked by default in script related thing ? Using AJAX, can I by default make a requst to otherdomain.com ? Is it allowed? What can be done to get response from otherdomain.com, if it is not allowed ?

Thanks a lot.

3
javascriptajaxxsssame-origin-policy
Have you read this: developer.mozilla.org/en-US/docs/JavaScript/… It answers all your questions.epascarello
Yes I have already read that and lots of other things...but got confused by diff sources...copenndthagen

3 Answers

0
votes

Read Wikipedia.

You cannot read from another domain (unless it allows you to).

You can display or execute content from another domain (eg, using an image, frame, or script tag), but you can't read it directly from your code.
Thus, you cannot send an AJAX request to another domain, and you cannot read the contents of an image, frame, or script tag that was loaded from another domain.

0
votes

can we have <img src="otherdomain.com/xyz.jpg">

Yes we can have this and any of other resources like images, videos and audio files, zip, pdf ...

can we directly use otherdomain.com in iframe src ?

can I by default make a requst to otherdomain.com ? Is it allowed?

No. For security reasons

What can be done to get response from otherdomain.com, if it is not allowed ?

if you own the otherdomain.com you can use jsonp and some php stuffs.

http://remysharp.com/2007/10/08/what-is-jsonp/
0
votes

what all are the allowed things that can be accessed from otherdomain.com? I mean can we have <img src="otherdomain.com/xyz.jpg">

You need to distinguish between "show" and "access". You can include the image, but you cannot access it's data because of the same-origin-policy (SOP).

Similarly can we directly use otherdomain.com in iframe src? What all are allowed by default?

You can include everything that can be linked, from stylesheets, scripts, images to whole pages via frames. Executing scripts from other domains is actually a standard method for getting data, called JSONP; and including resources from third-party-CDNs is common as well.

What can be done to prevent access from otherdomain.com's perespective?

You can use the X-FRAME-OPTIONS-header to prevent inclusion via frames, which should be respected by the most browsers.

You could try to avoid answering requests (sending 404 content) with the wrong REFERER header, but that's not a reliable method since REFERER is often disabled by browsers or blocked by firewalls.

2nd part is related to JavaScript/AJAX. Is otherdomain stuff blocked by default in script related thing ? Using AJAX, can I by default make a requst to otherdomain.com ? Is it allowed?

No, the access to the data is blocked. You can send the request, but the response will not be available to your script unless CORS headers are sent to explicitly allow it.

What can be done to get response from otherdomain.com, if it is not allowed ?

You can use a proxy on mydomain.com.