Javascript HTTP GET and POST -

when initiating http or post request:

• common browsers not allow javacript call cross domain
• so means every http request given domain "host" in request header represents origin host, foo.com , cannot modified client request?
• furthermore, when request originated subdomain, bar.foo.com "host" in request header "bar.foo.com"
• and holds true when doing cross-domain http request, i.e. "host" foo.com or if subdomain bar.foo.com, , receiving end (the other domain) see "host" these hosts respectively?

everything through http browser sandbox (not ajax calls! iframes have restrictions based on same conditions, different things - namely, can't control content of iframe on domain/host/port/proto, load pages , see uri of loaded. content in js off-limits) done client-side rather server-side: browser actively refuse query not have:

• the same hostname (subdomains count different hostnames)
• the same port
• the same access method (http or https)

for ajax, leads big red "cannot due security"-esque error. browsers, request happen: there way bypass restriction, using access-control headers. these tell browser "i'm friendly x", x wildcard list of domains (and * means everything).

to figure 1 out, browsers perform request, , if cors not on, actively fire exception (xmlhttprequest: x not allowed y). request, however, has happened.

the obvious solution add access-control-allow-origin header in order signify cross-domain queries site okay. however, bear in mind 2 things:

• most browsers have it, don't (ie8 <.<)
• cors has little bugs of own if urls hardcoded in script (read on it!)

you'll therefore want jsonp fallback ie. however, keep in mind all done client-side , no guarantee there aren't browsers actively disregard cors or webkit security model. entire model relies on client-side host resolution.