Cross Domain GET Forwarding

When you do an AJAX request on a website, the URL you request from needs to reside on the same domain as where the request was made from. This is a security restriction imposed by the browser. There is a way to sneak around this by using a bit of a "man in the middle" approach.

PHP, being a server-side language, has the ability to pull content from any URL. So a PHP file can become the man in the middle. The contents of the PHP file can be set up to accept a URL as a parameter and then return the contents of that URL.

<?php

    echo file_get_contents($_GET['url']);
    // WARNING: You REALLY should write something to whitelist or otherwise limit what the function will accept, or it could be a security danger to your server (people could read any file).

?>

With that in place, we can do an AJAX request directly to that URL, passing it the URL we actually want the data from as a parameter. See how we are passing "http://google.com" as data below.

<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js?ver=1.3.2'></script>
<script type='text/javascript'>
    $(function() {
       $.ajax({
            type: "GET",
            dataType: 'html',
            data: 'url=http://google.com',
            url: 'get.php',
            success: function(data){
                // Yah! Do something cool with data
            },
            error: function(){
                // Boo! Handle the error.
            }
        }); 
    });
</script>

This is an extremely simple example. If you are interested in a more robust version, check out the Simple PHP Proxy.

Comments

  1. User Avatar
    Benjamin Mayo

    Fine, until someone exploits it to read any file on your hard drive and find loopholes pretty quickly.

    This is a major flaw, and this snippet should be removed.

  2. User Avatar
    Joram

    James Padolsey made a cool Cross Domain AJAX Mod for jQuery. It uses YQL, which allows us to make cross domain GET Requests.

    http://james.padolsey.com/javascript/cross-domain-requests-with-jquery/

Submit a Comment

Posting Code

You may write comments in Markdown. This makes code easy to post, as you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences (```) with double new lines before and after.

Code of Conduct

Absolutely anyone is welcome to submit a comment here. But not all comments will be posted. Think of it like writing a letter to the editor. All submitted comments will be read, but not all published. Published comments will be on-topic, helpful, and further the discussion or debate.

Want to tell us something privately?

Feel free to use our contact form. That's a great place to let us know about typos or anything off-topic.

icon-anchoricon-closeicon-emailicon-linkicon-logo-staricon-menuicon-nav-guideicon-searchicon-staricon-tag