sean.odin

cross site scripting XSS warnings in Chrome + IE

Discussion created by sean.odin on Nov 16, 2012
Latest reply on Dec 10, 2012 by sean.odin
In Chrome + IE8 I get XSS warnings, because the javascript originates from my web server, and is making requests to different server (the ArcGIS map server).

In IE the (spurious) XSS warning is very obtrusive to users, as they have to click 'OK' in order to get past the warning.

In Chrome, the console logs the warning:

XMLHttpRequest cannot load http://<map host name>/ArcGIS/rest/info?f=json. Origin http://<myApp hostname>:10350 is not allowed by Access-Control-Allow-Origin.


Workaround:  I have a workaround, to use a proxy on my web server, and force ALL requests from javascript API to go through the proxy:

  esri.config.defaults.io.proxyUrl = "http://myHost/myApp/myArcGisProxy.ashx";
  esri.config.defaults.io.alwaysUseProxy = true;

however, there is a performance impact, as sending *all* requests through the proxy, slows down loading + refreshing the map.


Question: is there some way to use the ArcGIS javascript API, so to avoid this warning ?

I understand that in javascript, the standard way to avoid this issue, is to use JSONP or "JSON with padding" which jQuery provides out of the box.

is there some way to get ArcGIS javascript API to use JSONP ?

OR can the API be updated :-)

Outcomes