Need Help With Cross Domain AJAX

Ask Question Forum:

Model Library:2025-02-08 Updated:A.I. model is online for auto reply question page

Show

ASK RECENT

Need Help With Cross Domain AJAX

Asked by stuengelman

at 2024-08-03 23:54:57

Point:500 Replies:33 POST_ID:828696USER_ID:11589

Topic:

Microsoft Development;Internet Protocols;Web Browsers

Hello,

I am trying to do a Javascript AJAX call to an ASP Classic script hosted at another domain at a different host. My Javascript and ASP Classic script appear below. The basic idea is that the ASP Classic script reads a MySQL DB table and is intended to pass back information to display within a SPAN element in the calling web page, using querystring input from the Javascript to determine which DB table record to work with.

I've tested the ASP Classic script by invoking it directly from its host in my browser, and it works perfectly. I've also set up headers in the ASP Classic script to permit cross-domain AJAX when the calling Javascript is hosted at the operant domain.

The code fails to return any result in MSIE, Firefox, and Chrome. In MSIE, I get a runtime Javascript error saying "permission denied."

Here is the Javascript code:
-------------------------------------------
function zip_onfocusout(inzip) {
var xmlhttp;
if (window.ActiveXObject) {//MSIE
       xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
      } else {//Other Browsers
       xmlhttp = new XMLHttpRequest();
      }
      xmlhttp.onreadystatechange=function() {
       if (xmlhttp.readyState==4 && xmlhttp.status==200) {
              document.getElementById("statedisplay").innerText=xmlhttp.responseText;
            }
      }
      xmlhttp.open("GET","http://www.leadtothetop.com/getstate.asp?zip="+inzip,true);
      xmlhttp.send();
}

Here is the ASP Classic Script:
-----------------------------------------------
<%@ Language=VBScript %>

<%Response.AddHeader "Access-Control-Allow-Methods","GET, OPTIONS"
Response.AddHeader "Access-Control-Allow-Credentials","true"
Response.AddHeader "Access-Control-Allow-Origin","http://www.legalhelprightnow.org, http://legalhelprightnow.org"
Response.AddHeader "Access-Control-Allow-Headers","*"
if isnumeric(Request.QueryString("zip")) and Request.QueryString("zip")<>"" then
      set CN=server.CreateObject("ADODB.Connection")
      CN.Open "dsn=" & application("dbodbcdsn"),application("dbusername"),application("dbpassword")
      set RS=server.CreateObject("ADODB.Recordset")
      SQL="select State from zipcodes where ZipCode=" & Request.QueryString("zip") & ";"
      RS.Open SQL,CN,adOpenStatic,adLockReadOnly
      if not RS.EOF then
       Response.Write("(" & RS("State") & ")")
      else
       Response.Write("(State Not Found)")
      end if
      RS.Close
      set RS=nothing
      CN.Close
      set CN=nothing
elseif Request.QueryString("zip")<>"" then
Response.Write("(Zip Not Valid)")
else
Response.Write("")
end if%>

The basic idea is that someone enters a zip code into a textbox on the calling page, and after moving mouse focus to the next control, the AJAX call is intended to fill a SPAN element with the associated two byte state abbreviation within parentheses.

Are my ASP classic headers wrong, or is something else causing the problem?

My PC is running Windows XP, and the ASP Classic host is running Windows 2008.

Thanks very much,
Stu Engelman

Author: stuengelman replied at 2024-08-06 11:21:41

Hi Tagit,

Got it. You can remove the email now.

Will get back to you in a few days (very busy with work right now).

Stu

Expert: Rob Jurd replied at 2024-08-06 00:54:22

Done :-)

Author: stuengelman replied at 2024-08-06 00:08:55

Tagit,

Please see Netminder's comment above. Can you post your email address in your profile, and then make a post here to have me look. You can remove your email after I reply back that I've got it.

Stu

Expert: Netminder replied at 2024-08-05 23:23:17

We'd prefer he didn't; better that he post it in his profile (and it's likely to cause him less spam).

Author: stuengelman replied at 2024-08-05 22:40:44

Netminder,

An article really isn't appropriate here, as I am proposing explaining an exploit to overcome a cross-domain security feature in MS software. There is no issue as long as the same person owns both sites, but this can be used as a hacking tool if someone owns one site and not the other (data theft, web form code injection to corrupt DB's, etc.).

Is it permissible for tagit to provide his email in a post here, and then we can communicate privately?

Thanks, Stu

Expert: Netminder replied at 2024-08-05 19:02:02

Stu,

Just a suggestion: write an article about the problem and the solution...

Netminder
Senior Admin

Author: stuengelman replied at 2024-08-05 15:07:32

Hi Tagit,

I'll supply you with some sample code to illustrate the concept.

Stu

Expert: Rob Jurd replied at 2024-08-05 05:37:59

I really appreciate your explanation on that Stu and would like to fully understand how you have achieved this. I have always got permission denied and hadn't taken it any further or just found another way to get what I needed.
I'd like to do a bit of testing myself but if I don't get anywhere I'll open a question and post the link here, as I'd like your input.

Author: stuengelman replied at 2024-08-05 00:44:49

Hi Tagit,

Actually, you can use an IFRAME to pull in any web (browser) page from any site. And then if you want to execute a server side script on the site, you can attach a JS AJAX call to the script within the IFRAME. You simply use the document.all.iframes.xxx object, where xxx is the ID of the IFRAME. Then, attach methods and events to the document.all.iframes.xxx object to make the JS call and receive the AJAX output. Next, place JS outside the IFRAME to call the methods, and finally place code within the IFRAME to pass the AJAX output back to the code outside the IFRAME. Basically, the AJAX objects responseText object will contain all Response.Write output from the server script. No credentialing will be required in the AJAX call, and no calling URL permission headers will be required in the server script, because the IFRAME treats the remote site as local.

Using this exploit is fine (though cumbersome) if you own the site you are spidering, but is unethical and typically violates terms of use if you don't. Also, state and federal intellectual property theft laws may violated if you don't own the spidered site, particularly when the site's content is copyrighted. I've used this technique to connect information between multiple sites owned by the same client, though I would never do it without the remote site owner's written permission if my client didn't own the remote site.

Stu

Expert: Rob Jurd replied at 2024-08-04 23:58:34

No objections, though for the record, the iframe solution ONLY works when you have access to the other site. I'm aware you do in this case but it is still bad programming practice to do so. It can break other apps that use the web service.

Author: stuengelman replied at 2024-08-04 23:27:03

OK, thanks Dave, Stu

Expert: Dave Baldwin replied at 2024-08-04 22:36:40

No, don't worry about it, I have no objections. @tagit gave you the details you needed.

Author: stuengelman replied at 2024-08-04 22:30:05

Dave - You provided a correct overview of the issue, but not any specific solution (other than a reference to the code Tagit provided).

Duncan - I agree you ultimately provided most (but not all) of the solution, but the details came after the points were awarded. Your earlier posts about IFRAMES would have solved the issue; I've used this technique before, but I wanted something more straightforward to avoid the extra coding required to spider the IFRAME portion of the DOM (I would have had to programmatically attach JS to an invisible IFRAME, invoke it from the main JS, and then pipe the AJAX output from the IFRAME back to the SPAN element; it all would have worked, but it would have involved about twice the amount of JS as I was using).

If there are still any disagreements from anyone, please advise. Otherwise, Tagit will retain the points for this question.

Stu

Expert: Netminder replied at 2024-08-04 17:07:54

Off-topic comments deleted.

The request attention button exists to avoid off-topic arguments that do not contribute to the solution of a problem.

Netminder
Senior Admin

Expert: duncanb7 replied at 2024-08-04 16:57:44

Anyway, I have no comment here
thanks for all of you

Duncan

Expert: Rob Jurd replied at 2024-08-04 16:27:44

Thanks for the points Stu

Expert: Rob Jurd replied at 2024-08-04 16:19:28

Easy to say when you've had the experience of a problem like this one because you know what to look for. When you haven't, you're looking for guidance.

Expert: Rob Jurd replied at 2024-08-04 16:14:14

Duncan that's not what EE is about. We as experts are here to guide and help the authors through to a solution. Posting a link just doesn't cut it in my opinion, not without an explanation at least.
I certainly felt Stu understands the code and solution.

Expert: Rob Jurd replied at 2024-08-04 16:12:27

Hi stu,
You have accepted the solution based on what is a solution and not just links to another page where you have to workout what is being suggested.
In your position I may have allocated Dave points as he was on the right track and as he said was on his way to posting code.

Expert: Rob Jurd replied at 2024-08-04 16:04:02

Duncan, what do you mean? You need to explain further what you're stating. We all agree except for you that the solution here is the solution. It works as the author wants so what's the issue?

Author: stuengelman replied at 2024-08-04 15:52:08

Hello All,

I meant no offense to anyone in picking Tagit's solution. This was the only solution that provided both the fixes to the calling JS code and the server code, without having to create hidden IFRAME's to defeat browser restrictions on cross-domain AJAX. I admit the IFRAME strategy would work, but it would have required extra JS to internally "spider" the DB host (not that complex, but more time consuming). Tagit's solution was the most straightforward and it worked perfectly without any modification.

I'm very sorry if anyone feels cheated. Please feel free to respond again if you feel I have not been fair.

Best, Stu

Expert: Rob Jurd replied at 2024-08-04 15:17:57

Sorry duncanb7, if anyone deserves points here it would be Dave's suggestion. There's nothing here you've posted that it's relevant to a solution.
I'm all for not stealing other ideas but clearly this is more than just about a concept. It's more than copying code too, it's how that code goes together which I didn't see here and felt it was necessary to the solution

Expert: duncanb7 replied at 2024-08-04 14:40:05

it is the requestState.asp page we called helper page.

Please review the score again, otherwise, who came later who get first and
copy others' idea to get the answer

if you need to report us the result later so meaning that is not perfect solution,
just a solution for the basis concept for cross-domain ajax, what is special if
know it the concept of cross-domain ajax

if someone can not write the code because he doesn't know the concept or
even get the code but still not understand the concept, if underdtand the concept
why he can not write the code, so the answer is the solution came from the concept
first

I also get the code without 'set xmlhttp = nothing
that simple code you can find it on any website
and please try it and I never test it

Since I came later, could I get some score that you can find it w3cschools
or everywhere ? if just need the code, why not just go
google copy some before this thread ?

<%'get the zipcode parameter from URLzipcode=ucase(request.querystring("zip"))url = "http://www.leadtothetop.com/getstate.asp?zip=" & zipcodeset xmlhttp = CreateDDDDDDDDDDDDDDDDObject("MSXML2.ServerXMLHTTP")xmlhttp.open "GET", url, falsexmlhttp.send ""Response.write xmlhttpDDDDDDDDDDDD.responseText'set xmlhttp = nothing%>

1:2:3:4:5:6:7:8:9:10:

Select All Code

later coming to see this thread users, please study concept first of ajax before get the so- called solution code becoz the code might be not correct

ANd I think the code is not solution since it is not tested and failed

Author: stuengelman replied at 2024-08-04 11:36:32

Excellent solution. Very easy to follow, and worked perfectly.

Author: stuengelman replied at 2024-08-04 11:35:38

Tagit,

Your solution worked perfectly. Thanks so much for your help.

Stu

Author: stuengelman replied at 2024-08-04 11:09:40

Hello Everyone,

Thanks so much for all the comments. I will test out your advice and report back.

Stu Engelman

Expert: Dave Baldwin replied at 2024-08-04 10:28:05

@tagit's code is an example of what I was talking about.

Expert: Rob Jurd replied at 2024-08-04 05:10:20

See here for an example using an embedded iframe, though you can't get the value, you can see it but i don't think it's what you want: http://jsfiddle.net/rjurd/FcNmC/

Accepted Solution

Expert: Rob Jurd replied at 2024-08-04 05:09:15

500 points EXCELLENT

I fail to see how the links posted above will help in this case... what am I missing? They're talking about resizing iframes... not really relevant here. However the helper page is relevant.

What is meant by a helper page is a "middleman" between your client page and the zip code page. It is a simple asp page that receives your ajax request and then requests the information from that zip code url as if you were using a browser accessing it directly. As you did with your browser and saw that it gave you what you were after. This helper page then passes the result back to your ajax. The ASP page running on the server has the authority to access other domains. The client doesn't so that is why this extra page is necessary.

so something like this (untested):

requestState.asp

<%'get the zipcode parameter from URLzipcode=ucase(request.querystring("zip"))url = "http://www.leadtothetop.com/getstate.asp?zip=" & zipcodeset xmlhttp = CreateObject("MSXML2.ServerXMLHTTP")xmlhttp.open "GET", url, falsexmlhttp.send ""Response.write xmlhttp.responseTextset xmlhttp = nothing%>

1:2:3:4:5:6:7:8:9:10:

Select All Code

then in your javascript:

 xmlhttp.open("GET","requestState.asp?zip="+inzip,true);

1:

Select All Code

Expert: duncanb7 replied at 2024-08-04 01:16:56

That is why I said helper page , please study the link first, and you will understand
how it work for cross-domain and then apply back the idea into your real cases

Expert: Dave Baldwin replied at 2024-08-04 01:12:54

Cross-site scripting is blocked as a security restriction in all modern browsers because it has been used in the past for bad purposes. What you can do instead is use AJAX to contact a page on your server that fetches the info from the other server and returns it to your page. It's a two-step process but the browsers will not allow you to directly access the other domain directly in javascript.

Expert: duncanb7 replied at 2024-08-04 00:56:33

I think you need additional helper page to do cross-domain Ajax, just study this first, simple
example from this link
http://paulasmuth.com/blog/dynamic_height_crossdomain_iframe/
http://johan.driessen.se/posts/resizing-cross-domain-iframes

Expert: duncanb7 replied at 2024-08-04 00:56:00

I think you need additional helper page to do cross-domain Ajax, just study this first
http://paulasmuth.com/blog/dynamic_height_crossdomain_iframe/
http://johan.driessen.se/posts/resizing-cross-domain-iframes

新聞財經娛樂♬資訊 News Economy

About Us|Service|Pricing

Stock Index全球即時指數期貨:

&nbps;

News即時新聞:↓

News即時新聞:↑

On Balance Volume (OBV):

Youtube Video♬ Sharing by members:↓

Youtube Video♬ Sharing by members:↑

Ask Question Forum:

Need Help With Cross Domain AJAX

Your Information

Members/Profolio