AJAX Security Restrictions

To add a layer of security to AJAX, all the major browsers prohibit cross-domain AJAX requests. This means that any AJAX calls you make in a script can only be made to the domain from which the script was loaded. If you have multiple domains that you need to make AJAX calls to, here are some possible solutions.

Proxying requests

Creating a proxy for cross-domain AJAX requests is possibly the simplest solution. This involves placing a proxy script on your web server, and defining AJAX calls to request data from other domains via your proxy script.

For example, if you wanted to fetch http://example2.com/data.txt from example.com, you could create a proxy script at http://example.com/proxy and define an AJAX request to call http://example.com/proxy?url=http://example2.com/data.txt.

Server side scripting does not generally have this cross domain security policy, so you can then fetch the requested URL and pass the data back to your client directly. These proxy scripts are also very trivial - for example, consider this PHP script:

<?php echo @file_get_contents($_GET['url']); ?>

You can manage security restrictions - such as a list of allowed URLs - at the server ended while remaining transparent to the client.

Serving scripts from other domains

If you have control over both domains involved, you can download scripts on demand from the server on the secondary domain and they will be executed normally:

var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'http://example.com/script.js';
document.getElementsByTagName('head')[0].appendChild(script);

You can then dynamically generate the JavaScript on the server side to provide the same functionality as (hypothetical) cross-domain AJAX would.