If I have two Apache servers running on my i, one http://hostname:80 and the other http://hostname:81. I can open http://hostname:80/page and http://hostname:81/page from my browser. If however http://hostname:80/page tries to make an AJAX call to http://hostname:81/page, that's cross-site scripting.


________________________________________
From: Booth Martin [booth@xxxxxxxxxxxx]
Sent: Wednesday, December 5, 2018 12:52 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Header set Access-Control-Allow-Origin for web services

I believe the following is an accurate report:

* The i is remote, reached by VPN. Lets call
"i.server.com:10000/web/services/Oceans" TheURL. This is a web
service providing a short list of 5 oceans from QMYLIB/OCEANSP.
* There is also an HTTP server set up on the TheURL's domain with a
website using JavaScript. That JavaScript presents a web page with
a nicely formatted layout and attempts to retrieve the Oceans data
from TheURL. It fails with the CORS failure.
* Eclipse is installed on my PC and the same JavaScript set-up is
installed there, pointing at TheURL. It fails with the CORS failure.

If I point my regular browser at TheURL i immediately get the 5 oceans
returned to me. Both JavaScript installations give me the CORS
failure. In other words, any regular web browser inside the VPN can
easily retrieve the data, but a JavaScript server at the same domain is
blocked???

Thats just ridiculous; therefore, I am misunderstanding something.



On 12/5/2018 12:15 PM, Justin Taylor wrote:
Sounds like cross-site scripting. By default, JavaScript (JS) is prevented from calling servers other than the origin server that served the initial page.

Is you JS trying to call a different server?


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.