If I have two Apache servers running on my i, one
http://hostname:80 and the other
http://hostname:81. I can open
http://hostname:80/page and
http://hostname:81/page from my browser. If however
http://hostname:80/page tries to make an AJAX call to
http://hostname:81/page, that's cross-site scripting.
________________________________________
From: Booth Martin [booth@xxxxxxxxxxxx]
Sent: Wednesday, December 5, 2018 12:52 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Header set Access-Control-Allow-Origin for web services
I believe the following is an accurate report:
* The i is remote, reached by VPN. Lets call
"i.server.com:10000/web/services/Oceans" TheURL. This is a web
service providing a short list of 5 oceans from QMYLIB/OCEANSP.
* There is also an HTTP server set up on the TheURL's domain with a
website using JavaScript. That JavaScript presents a web page with
a nicely formatted layout and attempts to retrieve the Oceans data
from TheURL. It fails with the CORS failure.
* Eclipse is installed on my PC and the same JavaScript set-up is
installed there, pointing at TheURL. It fails with the CORS failure.
If I point my regular browser at TheURL i immediately get the 5 oceans
returned to me. Both JavaScript installations give me the CORS
failure. In other words, any regular web browser inside the VPN can
easily retrieve the data, but a JavaScript server at the same domain is
blocked???
Thats just ridiculous; therefore, I am misunderstanding something.
On 12/5/2018 12:15 PM, Justin Taylor wrote:
Sounds like cross-site scripting. By default, JavaScript (JS) is prevented from calling servers other than the origin server that served the initial page.
Is you JS trying to call a different server?
midrange.com
