0

I have an HTML/Javascript application that uses jQuery to communicate with a web server (that I don't control). I run it from a local file (file:///app.html) and this works fine on Safari. However, it fails in Firefox, I see all my XHR requests being turned into OPTION requests, which the server does not like. Apparently it is running afoul of cross-site-scripting rules.

What is the spec regarding XHR from local pages, how do the different browsers handle it, and what is the preferred way to develop these client-side-only mashup type applications?

Thilo
  • 257,207
  • 101
  • 511
  • 656

1 Answers1

0

It makes sense that it doesn't work. The idea behind it, is that you cannot easily embed features of sites you don't control into sites you do control. Now, the use of a local, file based site is very limited, but still you could use this as a hack to embed another man's site into you local intranet.

So I'd think it's a bug that Safari allows it. See also: jQuery Ajax request from local filesystem (Windows file:///)

Community
  • 1
  • 1
GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • I think you got the motivation wrong. It is not to protect a site from being embedded elsewhere, but to protect the user who is browsing site A from getting access or damaging this user's data on site B. – Thilo Nov 14 '11 at 07:11
  • I didn't specify who would be disadvantaged by embedding this other site, but of course you are right. It's for the protection of users in the first place. – GolezTrol Nov 14 '11 at 08:10