Working with AJAX and http_request


I had an idea to start working on a web-based interface that communicated directly to objects in-world using only AJAX. AJAX would be preferred, as the processing would be done within a clients web-browser rather than the server, and it opens up the ability to host everything on a static web site. I found staticloud was a great site that is free just for this purpose. It turned out that http_request receives the request, but the web browser ignores the response. I tracked it down to a missing header on Linden Lab’s end. I filed a feature request (SVC-7038) and ask that you vote on it.

Visit Spini

Posted via email from dedricmauriac’s posterous

2 Responses to Working with AJAX and http_request

  1. You discovered that this is deliberate behavior to prevent cross site scripting attacks. If you serve your HTML from the prim, the issue goes away. But that’s a pain, or impossible to do for anything large. I ended up using perl and www:mechanize and LWP: as an intermediary between the web page and the prim. Its a pain, but that’s what has to happen.

    But I would love to see this new header be implemented as it prevents a lot of my code from working well with SL, Like my Android/Blackberry/iPhone app that uses AJAX. Everything has to be served off an outside server and double served back to the prim in world. This in turn leads to security issues with data flowing thru an intermediate server for no good reason.

    The security issues in this header have been thought out by Mozilla, so there should be no issues with security. The prim only produces a header allowing a web site to use AJAX to communicate from a second domain.

    FYI, the Lindens no longer count votes. They only look at comments and in particular, Watchers. I voted and clicked watch for ya, too, as this would be a huge help.

    • Thanks for the vote&watch. As I responded on JIRA, you can’t serve html on prima from inworld scripts. You just get normal text output. I know about the security issues, but there are no cookies served that would cause XSS attacks on personal info. Web servers can do the same so I really don’t see the problem in this case.

%d bloggers like this: