A preliminary study on Ajax implementation of collapse-domain access

This is supposed to be a security issue for JavaScript. General Server A is set to not allow other domains of machine B to perform AJAX calls on Server A resource reason, can give a simple example of security vulnerabilities:

Assuming Ajax can overwhelm domain access, then I can write Ajax on my own machine to request resources from Google's various web applications, such as using Firefox to study the address and parameters of Gmail's large number of AJAX requests during the login process. You can get the user cookie verification process and then write JS to cross the domain to obtain another user's cookie, so you can bypass the user's Gmail password and log into someone else's Gmail mailbox

So with Ajax cross-domain restrictions, is it really impossible to do Ajax-domain access?

Ajax collapse does not work, but we can relay implementation, that is, the so-called proxy

The principle is very simple, in their own JS and remote server A resources between the set up a own container

can be used in ASP, PHP, Java,. NET, and so on all the dynamic Web language can

Take ASP as an example (get the buddy list for a user of the is soon hot Web site, return the XML data format)

<%
p = "http://redekuai.com/api/user_friends_xml/funy"
Response.BinaryWrite ZQcnGet(p)
Response.Flush
Function ZQcnGet(url)
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", url, False, "", ""
.Send
ZQcnGet = .ResponseBody
End With
Set Retrieval = Nothing
End Function
%>

This code is saved as a proxy.asp, and then put into IIS, this time you can find a machine to write JS, with Ajax request proxy.asp, finally equivalent to achieve the AJAX collapse domain access

PHP's sample code is simpler

Echo file_get_contents ("Http://redekuai.com/api/user_friends_xml/funy");

?>

Note: PHP version needs >= 4.3.0