We are thinking about implementing our new module with a Javascript framework GUI and Java backend. The plan is that we call Ajax calls from the GUI to get the data from the backend.
Our worry is (due to our inexperience) is that if we deploy the GUI to http://server1
and the Java backend to http://server2
, then wont the relevant Ajax calls from server1 to server2 qualify as Cross site scripting?
How can we prevent this in javascript frameworks?
(We are looking at Angular, Knockout, Ember.js, etc)
Have a look at CORS (Cross-origin resource sharing) http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
You basically need to specify, in the header of the response from the web service, which referers are allowed.
For example:
Access-Control-Allow-Origin: http://server1