Call it limitation, call it security means: it’s usually one and the same: a security means on one side but an annoying limitation on the other side. Wouldn’t it be nice if you could just step into your house without having to search for your keys ? Wouldn’t it be nice if you just could open up your e-mail or enter any other application without having to remember any password ? Wouldn’t it be nice if you just could insert your credit card into a teller machine and get your money spit out without the extra step to recall and type in your pin code through this sticky keyboard ?
Well, that’s not how it works. The world out there is evil and not all people are good guys, that’s why we need security, also in the area of information technology.
Ajax – the powerful technique to dynamically add content to your web page – has security means aka limitations as well: you can not actually pull data from a different server behind the scenes, only from your own. As Steven Holzner wrote in chapter 3 “Creating Ajax Applications” in his book “Ajax: A Beginner’s Guide”:
However, here’s one thing to note: if the URL you connect to, such as http://www .starpowder.com/data.php, and the Ajax-enabled page (ajax.html here) that’s attempting to download that URL are on different servers, you’re going to have a security problem. If your Ajax-enabled page attempts to download data behind the scenes from a different server, your browser is going to suspect that something underhanded is going on, and will ask permission from the user, via a dialog box, before proceeding.
I actually noticed then when for instance using Ajax through jQuery ( doing a $.get or $.post call ) accessing data from a different server does not work at all, I even do not get any dialog displayed by my browser. This might be related to some security settings in my browser ( Firefox it is in this case ) or the fact that I use jQuery to do an Ajax request. When using Firebug to debug my request I see that it turns red and shows a 200 return code. 200 actually would mean everything is OK, but the red color indicates that it is not. Anyhow, I don’t get any data from this request.
To overcome this limitation some server side programming is needed to actually let some code on your server pull data from a different server and then send it to your browser side application. I have written a very simple server using Perl:
If my jQuery $.get call now calls this perl script and passes an URL of the page I actually want to access to this perl script everything works fine. Steven Holzner has published some php code in his book in chapter 4 to do the very same thing.