Please read my blog's comment policy here.
Update: Internet Explorer 10+ supports CORS using XMLHTTPRequest. IE11 deprecates the XDomainRequest object and it is not available in IE11 Edge mode.
In Internet Explorer 8, the XDomainRequest object was introduced. This object allows AJAX applications to make safe cross-origin requests directly by ensuring that HTTP Responses can only be read by the current page if the data source indicates that the response is public; in that way, the Same Origin Policy security guarantee is protected. Responses indicate their willingness to allow cross domain access by including the Access-Control-Allow-Origin HTTP response header with value *, or the exact origin of the calling page.
When designing the new object, our top priority was to ensure that existing sites and services would not be put at risk. To that end, we imposed a number of restrictions on what sort of requests can be made with the XDomainRequest object. Most of the restrictions are designed to help prevent Cross-Site Request Forgery (CSRF) attacks against legacy services.
The restrictions and the reasoning behind them are described by the rest of this post.
1. The target URL must be accessed using the HTTP or HTTPS protocols.
This one is simple—because the object relies on a HTTP response header for access control, the object requires that the target URL be HTTP or HTTPS so that it can examine the response headers to obtain permission to make the response available to the caller.
2. The target URL must be accessed using only the HTTP methods GET and POST
In order to ensure that the new object did not increase the attack surface against existing servers and services, we elected to restrict the HTTP methods (verbs) it may call to GET and POST. HTML 4.01 forms are restricted to these same methods, which means that any service which is at risk from the XDomainRequest object would also be vulnerable to attack from a cross-origin HTML Form. Since HTML Forms have existed for well over a decade, it’s assumed that applications have been hardened against attack from the GET and POST methods.
We could not assume that requests issued using other methods would be similarly handled by servers. Beyond that concern, most other methods that developers would hope to use (e.g. WebDAV / REST methods) also require sending custom HTTP Headers, and:
3. No custom headers may be added to the request
This restriction is similar to #2; we wanted to ensure that the XDomainRequest object would not allow an attacker to issue a request that a HTML Form could not issue. This is important because the Access-Control-Allow-Origin header isn’t available until after the response is returned, so there’s no way to tell before the request is issued whether or not the server is willing to accept cross-domain HTTP requests. Without these restrictions, a “Fire and Forget” CSRF attack could take place against a legacy server, even if the server doesn’t return the Access-Control-Allow-Origin header.
All XDomainRequest-issued requests are sent with an Origin header, indicating the Origin (scheme+hostname) of the caller.
4. Only text/plain is supported for the request's Content-Type header
In the original incarnation of the XDomainRequest object, we allowed specification of the Content-Type for a POST request. It was pointed out that this violated our goal of emitting only requests that HTML Forms can issue, because HTML Forms are limited to sending data in three different content types: text/plain, application/x-www-urlencoded, and multipart/form-data. In particular, it was pointed out that some AJAX server libraries would blindly assume that if they received a request with a SOAP or JSON Content-Type, then the client must either be trusted or Same Origin (because HTML itself previously offered no way to issue cross-origin requests with that Content-Type).
Unfortunately, when we fixed this problem in a later IE8 Beta, we went a bit too far; we restricted the content type to text/plain but didn’t allow the caller to specify that the data was in application/x-www-urlencoded form. This is problematic because server-side frameworks (e.g. ASP, ASPNET, etc) will only automatically parse a request’s fields into name-value pairs if the x-www-urlencoded content type is specified.
Note: As of 2014, XDomainRequest doesn't appear to send any Content-Type header at all. It's not clear to me when this changed.
To workaround this issue, server code that currently processes HTML Forms must be rewritten to manually parse the request body into name-value pairs when receiving requests from XDomainRequest objects. This makes adding support for the XDomainRequest object more difficult than it would be otherwise.
5. No authentication or cookies will be sent with the request
In order to prevent misuse of the user’s ambient authority (e.g. cookies, HTTP credentials, client certificates, etc), the request will be stripped of cookies and credentials and will ignore any authentication challenges or Set-Cookie directives in the HTTP response. XDomainRequests will not be sent on previously-authenticated connections, because some Windows authentication protocols (e.g. NTLM/Kerberos) are per-connection-based rather than per-request-based.
Sites that wish to perform authentication of the user for cross-origin requests can use explicit methods (e.g. tokens in the POST body or URL) to pass this authentication information without risking the user’s ambient authority.
6. Requests targeted to Intranet URLs may only be made from the Intranet Zone
As the table in the documentation shows, XDomainRequest restricts Internet-Zone pages from making requests to Local Intranet-based resources. This security precaution isn’t directly enforced by HTML Forms, but Internet Explorer’s Zone Elevation security feature provides a similar protection for navigations, of which Form Submissions are simply a specialized type.
7. Requests must be targeted to the same scheme as the hosting page
This restriction means that if your AJAX page is at http://example.com, then your target URL must also begin with HTTP. Similarly, if your AJAX page is at https://example.com, then your target URL must also begin with HTTPS.
It was definitely our intent to prevent HTTPS pages from making XDomainRequests for HTTP-based resources, as that scenario presents a Mixed Content Security Threat which many developers and most users do not understand.
However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely.
Worst of all, the Same Scheme restriction means that web developers testing their pages locally using the file:// scheme will find that all of the XDomainRequests are blocked because file:// doesn’t match either http:// or https://, which are the only valid target schemes (point #1). To workaround this issue, web developers must host their pages on a local web server (e.g. IIS, the Visual Studio hosting server, etc).
To workaround this limitation, you can build a postMessage-Proxy-for-XDR.
Despite the restrictions and unintended limitations, the XDomainRequest object provides powerful functionality. As servers that support the CORS specification become more common, the object will only get more useful.
Update: Internet Explorer 10 now supports CORS using XMLHTTPRequest which should be preferred to the now-deprecated XDomainRequest object.
Note: We intended to support COMET-streaming with XDomainRequest, but AJAX developers may need to workaround one small bug in the object’s support for streaming responses.
Note: In IE8, all XDomainRequests will fail with an error when the user is browsing in InPrivate Browsing mode. This bug was fixed in Internet Explorer 9.
IIRC a cross-domain XMLHttpRequest could be built using postMessage to communicate with a cross-domain iframe which would relay the request.
Use at your own risk, etc, etc.
@Sean: Indeed, that's correct, but it requires that the other site offer an IFRAME that exposes this service, and it requires that your site *trust* that IFRAME not to do anything sneaky like navigate your top-level window to a malware-laden site, etc.
I just hit the issue of trying to get the data posted from XDomainRequest from ASP.NET. Request.Form is, as Eric mentions, not populated because of ASP.NET's requirement for x-www-urlencoded as the contentType. So, here's the code I ended up writing using Request.InputStream:
//set the header to support XDomainRequest
Int32 counter, strLen, strRead;
// Create a Stream object.
str = Request.InputStream;
// Find number of bytes in stream.
strLen = Convert.ToInt32(str.Length);
// Create a byte array.
byte byteArray = new byte[strLen];
// Read stream into byte array.
strRead = str.Read(byteArray, 0, strLen);
// Convert byte array to a text string.
jsonContents = Encoding.UTF8.GetString(byteArray);
Maybe this will save someone some time. :)
I've a question, i use XDR to call a url of other domain, using ajax , using XDR, this work fine on IE8, but How I implement XDR on IE7 and IE6? It's possible do calls to other domains since these browsers?
No, the XDomainRequest object was created in IE8. IE6 and IE7 do not have an equivalent object. Most sites use the Adobe Flash object as a workaround.
Ok so I'm trying to learn AJAX and it mentions a need to create an XMLHttpRequest object (I get and undefined error on IE8). So asked around and was suggested to use XDomainRequest I copied the example from the MSDN site and dumped it into an html page. The html tries to load data from an examplel domian to which I don't have access to. So I point the url to my localhost to read the data using GET. The script executes, creates the xdr object, does the send then the onerror function gets called. I don't have a clue as to why.
Any help I'll put up the code if needed.
@XDR: IE7 and IE8 absolutely support the native XMLHTTPRequest object; if they're not working, then your code was incorrect.
The most likely explanation for your XDR not working is that you failed to send the Access-Control-Allow-Origin response header, or as mentioned in restriction #6 above, you tried to send the request from a page in the Internet Zone to a site (Localhost) in the IntrAnet zone.
Ok so my test page has my XDR object url pointing to a file on the localhost. I don't have access to a remote site. How else can I get up to speed with XDR and AJAX?
I'm using code from the MSDN XDR example.
@XDR: You can use this URL www.enhanceie.com/.../streamWithPrelude.aspx as your target.
Any chance custom header support was added in IE9?
@Viraj: XDR deliberately does not support custom headers.
No changes were made to XDR in IE9, except the one mentioned in the post (namely, InPrivate does not block XDR.)
More generally, I update posts as things change, so unless you've got some contradictory information, asking: "Is this information correct?" is unnecessary.
Why hasn't IE9+ made the change to allow custom headers? It's inconceivable to force developers to write APIs to support only plain/text as the Allow response. If i want JSON, i'll send application/json, if I want XML I'll send application/xml; unless the User is running IE? That's plain stupid.
Consider that the internet is supposed to be services, that can intelligently respond based purely on headers.
@Jason: I think you're a bit confused-- an XDomainRequest can return text in whatever format you like. Similarly, it can send text in whatever format you like. Now, to your question of "Why can't I send custom headers", you should probably read the blog post above, particularly point #3.
In a comment above (16 Oct 2010 11:23 AM) you say "IE7 and IE8 absolutely support the native XMLHTTPRequest object". I tried all I can think of but all I get when trying to do a cross domain http post is access denied (same script works fine in chrome, ff, safari).
Maybe you mean that XMLHTTPRequest works in the same domain only in IE... can you confirm?
@Pietro: Of course that's what that means-- the developer in question was claiming that he was finding that window.XmlHttpRequest was returning undefined.
XHR was invented by Microsoft in the late 1990s, and the same-origin restriction exists when the object is used in an untrusted context (like an Internet webpage). The idea of using CORS to permit cross-domain communication for XHR is a comparatively recent development, and for IE8 and IE9, we went a different, more secure route, using XDR. Long discussions of that decision are available, including a whitepaper by Sunava Dutta.