XDomainRequest Object

Switch View :

ScriptFree

Represents a cross-domain Asynchronous JavaScript and XML (AJAX) request.

Members Table

The following table lists the members exposed by the XDomainRequest object.

Attributes/Properties

Property Description

constructor Returns a reference to the constructor of an object.

contentType Gets the Content-Type property in the HTML request or response header.

responseText Contains the body of the response returned by the server.

timeout Gets or sets the value of the timeout property.

Events

Event Property Description

onerror Raised when there is an error that prevents the completion of the cross-domain request.

onload Raised when the object has been completely received from the server.

onprogress Raised when the browser starts receiving data from the server.

ontimeout Raised when there is an error that prevents the completion of the request.

Methods

Method Description

abort The abort method terminates a pending send.

open Creates a connection with a domain's server.

send Transmits a data string to the server for processing.

Prototypes

Object Description

XDomainRequest Constructor Defines the properties and methods inherited by objects in the XDomainRequest Constructor prototype chain.

Property	Description
constructor	Returns a reference to the constructor of an object.
contentType	Gets the Content-Type property in the HTML request or response header.
responseText	Contains the body of the response returned by the server.
timeout	Gets or sets the value of the timeout property.

Event Property	Description
onerror	Raised when there is an error that prevents the completion of the cross-domain request.
onload	Raised when the object has been completely received from the server.
onprogress	Raised when the browser starts receiving data from the server.
ontimeout	Raised when there is an error that prevents the completion of the request.

Method	Description
abort	The abort method terminates a pending send.
open	Creates a connection with a domain's server.
send	Transmits a data string to the server for processing.

Object	Description
XDomainRequest Constructor	Defines the properties and methods inherited by objects in the XDomainRequest Constructor prototype chain.

Remarks

The XDomainRequest object is a safe, reliable, and lightweight data service that allows script on any document to anonymously connect to any server and exchange data. Developers can use the XDomainRequest object when cross-site security is not an issue.

Security Alert Cross-domain requests ("XDRs") are anonymous to protect user data. This means that servers cannot easily determine who is requesting data. To protect user privacy, respond with cross-domain data that is neither sensitive nor personally identifiable. To help prevent intranet data from being leaked to malicious Internet sites, we discourage intranet sites from making XDR data available.

Cross-domain requests require mutual consent between the document and the server. You can initiate a cross-domain request by creating an XDomainRequest (XDR) object with the window object, and opening a connection to a domain.

The document will request data from the domain's server by sending an Origin header with the value of the origin. It will only complete the connection if the server responds with an Access-Control-Allow-Origin header of either * or the exact URL of the requesting document . This behavior is part of the World Wide Web Consortium (W3C)'s Web Application Working Group's draft framework on client-side cross-domain communication that the XDomainRequest object integrates with.

For example, a server's Active Server Pages (ASP) page might include the following response header:
<% Response.AddHeader("Access-Control-Allow-Origin","*") %>
Cross domain requests can only be sent and received from a document to URLs in the following zones:

From document \ To URL Intranet Trusted(Intranet) Trusted(Internet) Internet Restricted

Intranet Allow Allow Allow Allow Deny

Trusted(Intranet) Allow Allow Allow Allow Deny

Trusted(Internet) Deny Deny Allow Allow Deny

Internet Deny Deny Allow Allow Deny

Restricted Deny Deny Deny Deny Deny

The XDR protocol only works with the http:// and https:// protocols.
To use the XDR protocol, you first create an XDomainRequest object. Then you use the open method to establish a connection with a server. Once a connection is opened, the send method transmits data strings to the server for processing. For example:
  
// 1. Create XDR object 
var xdr = new XDomainRequest(); 

// 2. Open connection with server using GET method
xdr.open("get", "http://www.contoso.com/xdr.aspx");

// 3. Send string data to server
xdr.send();     
                

From document \ To URL	Intranet	Trusted(Intranet)	Trusted(Internet)	Internet	Restricted
Intranet	Allow	Allow	Allow	Allow	Deny
Trusted(Intranet)	Allow	Allow	Allow	Allow	Deny
Trusted(Internet)	Deny	Deny	Allow	Allow	Deny
Internet	Deny	Deny	Allow	Allow	Deny
Restricted	Deny	Deny	Deny	Deny	Deny

Example

The following example sends an empty message to a server of your choice. You can select a timeout value (default 10000 msec) when sending the request. When you click the Get button, the script creates a XDomainRequest, assigns event handlers, and initiates the request. Script alerts indicate how the request is progressing. Click the Stop button to cancel the request, or the Read button to view additional properties of the response, such as contentType and responseText.


      
<html>
<script type="text/javascript">
    var xdr;

    function readdata()
    {
        var dRes = document.getElementById('dResponse');
        dRes.innerText = xdr.responseText;
        alert("Content-type: " + xdr.contentType);
        alert("Length: " + xdr.responseText.length);
    }
    
    function err()
    {
        alert("XDR onerror");
    }
    function timeo()
    {
        alert("XDR ontimeout");
    }
    function loadd()
    {
        alert("XDR onload");
        alert("Got: " + xdr.responseText);
    }
    function progres()
    {
        alert("XDR onprogress");
        alert("Got: " + xdr.responseText);
    }

    function stopdata()
    {
        xdr.abort();
    }

    function mytest()
    {
        var url = document.getElementById('tbURL');
        var timeout = document.getElementById('tbTO');
        if (window.XDomainRequest)
        {
            xdr = new XDomainRequest();
            if (xdr)
            {
                xdr.onerror = err;
                xdr.ontimeout = timeo;
                xdr.onprogress = progres;
                xdr.onload = loadd;

                xdr.timeout = tbTO.value;
                xdr.open("get", tbURL.value);
                xdr.send();
            }
            else
            {
                alert('Failed to create');
            }
        }
        else
        {
            alert('XDR doesn't exist');
        }
    }
</script>
<body>
    <h2>XDomainRequest</h2>
    <input type="text" id="tbURL" value="http://www.contoso.com/xdr.txt" style="width:300px"><br>
    <input type="text" id="tbTO" value="10000"><br>
    <input type="button" onclick="mytest()" value="Get">&nbsp;&nbsp;&nbsp;
    <input type="button" onclick="stopdata()" value="Stop">&nbsp;&nbsp;&nbsp;
    <input type="button" onclick="readdata()" value="Read">
    <br>
    <div id="dResponse"></div>
</body>
</html>

Standards Information

There is no public standard that applies to this object.

See Also

XMLHttpRequest

Community Content

Xanadu2000

Apparent changes between IE9 RC and IE9 RTM

I used XDomainRequest without handling the "onprogress" event, which worked in IE9 RC. Since IE9 RTM users complained about these calls not succeeding anymore. According to http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/thread/30ef3add-767c-4436-b8a9-f1ca19b4812e the solution is to handle the onprogress event, e.g. using an empty handler function.$0 $0$0 $0 $0Hope this helps someone,$0 $0Claus$0

n8crawler

Trusted(intranet) and Trusted(internet)

I would like understand why there is the separation between trusted(intranet) and trusted(internet). IE8 simply shows you a trusted zone. I understand, when you add a site to that zone, the user or the IT department expresses explicit trust to that site, no matter where located. A scenerio in which someone would like to have a web application lets say loaded from an internet on demand service from microsoft.com being able to access data from an intranet server based on IIS inside the user's company's intranet. The browser is running directly or via VPN inside the intranet. The web application is loaded from microsoft.com and needs to consume an ODATA service hosted by the IIS in the intranet. If I look at the matrix above this would be denied. I strongly believe with the ODATA idea that could become a quite common scnerio. How would that be implemented?

warpdesign_

https denied ?

Is https supported ?

When trying to POST something on https, I'm getting an exception. The same url but on http works.

Thomas Lee

XDomainRequest Woks in normal html page but not in SAP Portal

In SAP Portal it tells Access Denied at line xdr.open(). However it does work well in a normal html page (or .jsp page). What would be the cause?

I figured out the cause is that SAP Portal uses https but I use http in js code. Thank you for your attention!


[tfl - 01 08 10] Hi - and thanks for your post. You should post questions like this to the MSDN Forums at http://forums.microsoft.com/msdn or the MSDN Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quicker response using the forums than through the Community Content. For specific help about:
Visual Studio  : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.vstudio%2C&
SQL Server     : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
.NET Framework : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.dotnet.framework
PowerShell     : http://groups.google.com/group/microsoft.public.windows.powershell/topics?pli=1
All Public     : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&

BetterToday

Alternative Solution

There is a very interesting alternative to XDomainRequest here:

https://wiki.mozilla.org/Security/CSP/Spec

Thomas Lee

Corrections...

Typo: "* or the exact URL of the requesting page."
Should be: "* or the exact Origin (scheme/hostname) of the requesting page."

@Vladimir Lichman: this is deliberate. Allowing unauthenticated cross-domain WebDAV submissions poses a significant security risk and is deliberately disallowed.

Vladimir Lichman

WebDAV requires PROPFIND, OPTIONS, PUT and no way to set headers

It’s a great disadvantage that requests are limited GET and POST. This significantly limits XdomainRequest usages. It cannot be used for WebDAV requests, as it requires PROPFIND, OPTIONS, PUT, etc.
There is also no way to set request headers. Again this is critical for WebDAV.
Hope very much you will fix this.

Vitaly Sharovatov

XDomainRequestAllowed: 1 is now Access-Control-Allow-Origin: *

As noted in http://blogs.msdn.com/ie/archive/2008/10/06/updates-for-ajax-in-ie8-beta-2.aspx , XDomainRequestAllowed is now replaced with Access-Control-Allow-Origin: * HTTP header, right as in the Access Control spec (http://dev.w3.org/2006/waf/access-control/#access-control-allow-origin)

qmutz

Grid system on DUAL I.P layer

My best bet with be of course the logical usage of two API's as I have succesfully timed out a request via DOMAIN parser / parsing ... I.P only ... and hense since the new 2008 servers are DUAL I.P the best logical experience would be for anonymity and security reasons ... so CC logic and or proxy usage would be a tremendous help for WINDOWS home/enterprise ...

John Sudds [Microsoft]

Why another API?

If you're wondering why we need another object to initiate server requests, you're not alone. The XDomainRequest object has been designed to be simpler and more secure than XMLHttpRequest in cross-domain scenarios. Read more about it in the newly released IE8 Whitepaper from the IE team.

http://code.msdn.microsoft.com/xdsecuritywp