I am trying to AJAX a request to 192.158.110.129:5000 (Flask Webserver), while the whole website is served by 192.168.110.129:8080(Apache). I get Access denied error in all browsers . How can I resolve this ? I need to understand whats happening , so that I can fix it . document.domain="192.168.110.129" in Firefox . I think this is some cross site script injection security measure but can anyone clarify ?
There isn't much code I can show for this as I am using API's. It is something like this. I have a HTML with textarea that is loaded with CKEDITOR script . I access this through APACHE . Now for spell checking I modified their plugin and am sending a request to a flash web server .
request = "192.158.110.129:5000?data=data"
var data=CKEDITOR.ajax.load(request);
This doesn't get through .
So file serving through Apache and Ajaxing to a flash server for Python action . Someone suggested that 'Proxy' or JSONP would be good solutions . Any where I can read up on that ?
Correct, most browsers disallow XSS. You have two options.
If you post some code, I will be much obliged to provide example corrections.
XHR requests are restricted by a Same-Origin Policy that allows only requests within the same origin due to security reasons. So 192.168.110.129 is only allowed to send XHR requests to 192.168.110.129 but not 192.158.110.129.
Changing document.domain doesn’t help here. Besides that you are only allowed to use a proper (super-) domain like foo.example.com and bar.example.com could agree on example.com, this is only for DOM access and not XHR requests.
An extension to XHR is the Cross-Origin Resource Sharing that allows cross-origin requests under specific conditions. One condition is that the receiving site authorizes requests from the scripts site. This is done with the Access-Control-Allow-Origin response header field. It can either contain a list of allowed origins or * as a wildcard.
So try to send Access-Control-Allow-Origin: * on your 192.158.110.129 machine.