XDomainRequest’s hidden requirements

Jerry Stratton, July 23, 2012

Microsoft Internet Explorer 8 and 9 do not support cross-domain requests and Access-Control-Allow-Origin with XMLHttpRequest. If you’re doing an XML request to get information from a service that isn’t on the page’s server¹, IE 8 and 9 don’t support it. Microsoft has a different method for grabbing cross-domain requests, XDomainRequest.

The biggest problem I ran into is that most of the examples I saw of XDomainRequest mirrored the use of XMLHttpRequest’s synchronous mode. I suspect they took the simple version from Microsoft’s XDomainRequest page without following through to the working version:

// 1. Create XDR object
var xdr = new XDomainRequest();
// 2. Open connection with server using GET method
xdr.open("get", "http://www.contoso.com/xdr.aspx");
// 3. Send string data to server
xdr.send();

For all practical applications that require a response, that doesn’t work. XMLHttpRequest accepts a “false” as the third parameter to turn off asynchronous operation. XDomainRequest does not. XDomainRequest only works asynchronously. That means you have to create a callback method to execute once the response is fully loaded; the callback method is onload. Otherwise, sometimes XDomainRequest will appear to work and sometimes it will appear not to work, depending on whether the asynchronous request has completed by the time you access the responseText property.

It’s probably not a bad idea to use XMLHttpRequest asynchronously as well, although it’s often a bit of overkill with requests for a couple of bytes to a nearby server.

[toggle code]

<script type="text/javascript">
- function verifyAvailability() {
  - //first, attempt to get the XML response using standard JavaScript
  - try {
    - var xmlhttp = new XMLHttpRequest();
    - xmlhttp.open("GET", "https://appserver.example.com/service/availability/");
    - xmlhttp.onload = function() {
      - actOnResponse(xmlhttp.responseXML);
    - }
    - xmlhttp.send();
  - } catch(error) {
    - var http = new XDomainRequest();
    - http.open("get", "http://proxy.example.com/service/availability/");
    - http.onload = function() {
      - //IE 8 does not enable the DOMParser by default? Awesome, if true.
      - var response;
      - if (window.DOMParser) {
        
        //this is untested
        
        var parser = new window.DOMParser();
        
        response = parser.parseFromString(http.responseText, "text/xml")
      - } else {
        
        response = new ActiveXObject("Microsoft.XMLDOM");
        
        response.async=false;
        
        response.loadXML(http.responseText);
      - }
      - actOnResponse(response);
    - }
    - http.send();
  - }
- }
- function actOnResponse(response) {
  - var availability = response.getElementsByTagName("availability")[0].childNodes[0].nodeValue;
  - if (availability == 'on') {
    - window.alert("Turning it on");
  - }
- }
- window.onload=verifyAvailability;
</script>

The biggest part of the Internet Explorer XDomainRequest fallback is parsing the XML. XMLHttpRequest will parse the response as XML automatically² and populate responseXML with the resulting XML document. XDomainRequest does not, so you’ll have to do it yourself. The most obvious choice would be the DOMParser, but, at least in IE 8 on the computer I had to use for testing while building the function, DOMParser functionality was not turned on by default; it appears to be up to the user to turn it on, and that’s obviously not something we can rely on. So if the DOMParser isn’t available I use the ActiveXObject equivalent.

That, however, isn’t everything: if you look closely, you’ll see a different request URL in the IE error handling section than in the main version. That’s because our application server always serves over SSL; the particular page that needed to make the cross-domain request is not served over SSL. For XDomainRequest, however, it isn’t just that you can’t make insecure requests from secure pages: the protocols must always match; you can’t make an https request from an http page either.³

So what started as a very simple XML request to a service to see if it’s available goes from about three lines of code in WebKit/Mozilla, to three lines of code plus eleven lines of error handling to cover IE.

To summarize, there are three issues that I ran into when using XDomainRequest to replace XMLHttpRequest in Internet Explorer 8 and 9:

XDomainRequest is always asynchronous, which means you have to use a handler to handle the response.
XDomainRequest does not parse XML; you’ll have to parse it yourself.
XDomainRequest cannot load a secure response from an insecure page.

I can’t find any information on whether cross-domain is marked using the page as reference or the script.
↑
At least as long as the response is text/xml or (most likely) application/xml.
↑
“However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely.”
↑

XML DOM Examples: Some good examples of using the XML DOM in JavaScript.

Comments?

##

Love this article. Pointed out a few issues I was having. Biggest was the ability parse the returned 'xml'. Sadly, I still didn't get it working, but you at least got me closer than any other documentation I found. We modified our implementation and just removed support for the non-standard object.

Thank you for your time on it.

Lance Gliser in United States at 3:19 p.m. October 10^th, 2013
qrlJV

Your email, URL, and location are optional—but I won’t be able to contact you if you don’t leave a working email. Your email does not get displayed, your URL and location do. Your name is required but may vary as the needs of the day demand, or you can just use the anonymous Hark Thrice name. You can use the following tags: <em>, <a>, <blockquote>. Use them wisely and post intelligently. Comments may take some time to approve, especially if I’m stuck in a Mexican jail.

If you have private comments, or questions about this page, please, leave a message on the Negative Space Comments Page.

Lost?

If you’re looking for something here, use the search box in the navigation to limit your search to this part of the site, or use the Negative Space search page.

Jerry

Before the rise of capitalism, the way people amassed great wealth was by looting, plundering, and enslaving their fellow man. Capitalism made it possible to become wealthy by serving one’s fellow man. — Walter E. Williams (Capitalism and the Common Man)

Contents of Negative Space™ as a whole Copyright © 1994-2024 Jerry Stratton. Individual copyrights remain held by their respective authors unless they specify otherwise. Site titles, such as Negative Space, Strange Bedfellows, Biblyon Broadsheet, Highland Games, and FireBlade Coffeehouse are trademarks of Jerry Stratton.

Code and code snippets, to the extent that they are copyrightable, may be re-distributed under the terms of the GNU General Public License 3.

XDomainRequest’s hidden requirements last modified July 23rd, 2012.

Your comment
Your name
Your email
Your web page
Your location

Mimsy Were the Borogoves

XDomainRequest’s hidden requirements

Editorials

Books, Movies, & Music

Technology & Hacks

Food

42 Astounding Scripts

Walkerville Reader

Biblyon Broadsheet

About Mimsy

Comments?

Lost?

Mimsy Were the Borogoves

XDomainRequest’s hidden requirements

Editorials

Books, Movies, & Music

Technology & Hacks

Food

42 Astounding Scripts

Walkerville Reader

Biblyon Broadsheet

Blogroll

Keep in touch

About Mimsy

Comments?

Lost?