Crossing the Site Domain with JavaScript

Dino Esposito (Simple Talk). 2016-06-20
It has become an easy task to expose data through HTTP endpoints. For example, if you’re on the Microsoft web stack you can use the controllers of a plain ASP.NET MVC web site or perhaps you can build a Web API frontend within an ASP.NET application hosted on IIS. It is quick and easy to call into these endpoints from the client side using, say, the facilities of the jQuery library. So where’s the problem?
The problem is that client-side HTTP calls—globally known as Ajax calls—are subject to the jurisdiction of client browsers; client browsers unilaterally decided, for security reasons, not to allow outgoing calls that reach out to a domain that is different from the domain where the current page was downloaded.
It is the Same-Origin Policy (SOP) that browser vendors added in relatively recent times to reduce the attack surface area for malicious users to zero. In this article, I’ll present in this article various techniques you can legitimately use to make selected content of a web site accessible from outside the domain.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s