Thursday, September 3, 2009

AJAX Cross Site Scripting Problem...Solved

As I've mentioned, our HA GUI is built with AJAX, and I thought that I was able to easily integrate the Aviosys 9100A. Turns out some browsers and/or operating systems weren't so willing to allow access to the 9100A since it has a different IP address than the web server. It works great on Firefox on XP, but for some reason, won't on Vista. Opera on Wii wasn't too keen on it either.

Since our GUI runs on the Apache web server, I can take advantage of mod_rewrite, which rewrites the requested URL on the fly. Let's assume my server runs on I've got this code in an html file:

<div class=camera style="z-index:5; position: absolute; left: 49; top: 355px; cursor: pointer;">
<img src=images/camera_left.png border=0 onmousedown="javascript:selectCam('SideCam');" id=SideCam>

The selectCam function:

function selectCam(camera) {
var newurl,xyz;
if (camera=="SideCam") {
// set channel on 9100A
// AJAX call to load URL

What I need to do is make the AJAX call look like it's going from the same address as the web server. I just need to edit the httpd.conf file for Apache and enabled mod_rewrite and proxy modules:

LoadModule rewrite_module modules/
LoadModule proxy_module modules/
LoadModule proxy_http_module modules/

Then, I need to turn on the rewrite engine and give it a rule to rewrite certain URLs:

RewriteEngine On
RewriteRule ^/9100a/(.*) $1 [P]

The above rule will rewrite any URL containing /9100a/ with the text following /9100a/. Now, I can change the URL in the selectCam function above as follows:


This will trick the cross site scripting checks since the URL appears to be local. The URL is rewritten by Apache to, Apache will serve as a proxy to that URL and everyone's happy!

No comments:

Post a Comment