If you have an AJAX application that uses a PHP back-end app on a different server as your web front-end server (e.g. load balancing, cdn’s, etc), your PHP script will need to send header variables with the allowed content server name(s).
Web browsers are now following a standard for HTTP Access control to prevent client-side Cross Site scripting attacks.
I tested this with Firefox and it simply blocks the request without any error messages. Google Chrome browser will error out with the following message if the access control origin is not set correctly on your PHP script. (woot!)
“XMLHttpRequest cannot load [PHP URL].. Origin [JAVASCRIPT URL] is not allowed by Access-Control-Allow-Origin.”
For example, if the Javascript is hosted on example.com and your PHP app is on example.org.
Below is the PHP script for fixing this error. Replace example.com with your front-end server domain name.
if($_SERVER['HTTP_ORIGIN'] == "example.com")
{
header('Access-Control-Allow-Origin: http://example.com');
header('Content-type: application/xml');
}
This was an easy 5 minute fix once I found what was causing the problem. Sometimes its nice to have multiple browsers to troubleshoot AJAX issues.
UPDATE: I ran across some issues with Internet Explorer 8 with cross domain requests:
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
To fix the Internet Explorer compatibility issues, I recommend using jQuery for handling the browser requests. It will handle the various browser GET/POST methods automatically, including IE8, Firefox, Chrome, etc.
http://forum.jquery.com/topic/jquery-autocomplete-new-parameter-implemented-method-get-post
Pingback: Al