What is the difference between node.js https request and XMLHttpRequest?

Question

What is the difference between node.js https request and XMLHttpRequest?

What is the difference between an HTTPS request sent through the node.js module and via XMLHttpRequest?

I am trying to send an HTTPS GET request to amazon aws to get the security token from javascript (XMLHttpRequest) and it always fails with "Origin http: // my_ip is not allowed Access-Control-Allow-Origin", but if I send one and the same HTTPS GET request through the node.js module, it works fine.

I got confused about this because if the server supports CORS, any request from anywhere should fail, but it goes through node.js, but not through XMLHttpRequest.

This FAILS

var url_ = "https://sts.amazonaws.com/?Action=GetSessionToken" + "&DurationSeconds=3600" + "&AWSAccessKeyId=XXXXXXXXXXXXXXX" + "&Version=2011-06-15" + "&Timestamp=" + encode(timestamp) + "&Signature=" + encode(hash) + "&SignatureVersion=2&SignatureMethod=HmacSHA256"; // Simple GET request $.get(url_, function(data) { alert("response: " + data); });

This WORKS

 var https = require('https'); var options = { host : 'sts.amazonaws.com', method : 'GET', path : '/?Action=GetSessionToken' + '&DurationSeconds=3600' + '&AWSAccessKeyId=XXXXXXXXXXXXXX' + '&Version=2011-06-15' + '&' + timestamp + '&' + signature + '&SignatureVersion=2&SignatureMethod=HmacSHA256' }; https.get(options, function(res) { res.on('data', function(d) { process.stdout.write(d); }); }).on('error', function(e) { console.error(e); });

Can someone explain to me how this works?

+6

javascript node.js xmlhttprequest

tazo Jun 27 '12 at 16:58

source share

3 answers

This is the difference in the environment. Usually, you can freely send any HTTP request anywhere (as now, sending a request to this very site).

Node.js runs on your behalf a program provided by you and, therefore, supposedly trusted. This is why there are no default restrictions. You can add arbitrary restrictions if you expect to enable and run untrusted code - just check your favorite search engine on “Node.js untrusted code” for any idea on an accessible sandbox.

The browser, on the other hand, almost always runs untrusted code, but on behalf of the user and all possible permissions. Since the browser environment needs to be standardized so that all browsers work the same way, a number of security policies have been agreed between the authors and they have implemented in their browsers control XHR connections coming from JavaScript, in accordance with the same origin policy and later CORS . The browser itself controls these restrictions , not JavaScript or the remote server. You will have the same environment restrictions if you also choose a different language.

+2

Oleg V. Volkov Jun 27 '12 at 17:27

source share

node.js is a server language. Do not confuse the .js extension. It always causes you a lot of confusion when you are new to this. So this is very similar to php, or C ++. You can send any request to wherever you want. Access to any site (hence the https request). But in javascript browser, it is a client-side language. The browser will not allow you to access the page from another server. Say you are on host.com:80. You can only receive data from host.com:80/*not host2.com or even something.host.com

This does not apply to node.js

+1

Somesh mukherjee Jun 27 '12 at 17:03

source share

Pointy · Accepted Answer · 2012-06-27T16:59:52+0000

The browser is limited to the same origin policy . Node.js is not.

Thus, the browser will allow scripts to make HTTP requests through XHR only on sites in the same domain as the page loading the script. Node.js, however, will allow HTTP requests to any domain.

(Browser history is now slightly more related to CORS, but this is still the main issue here.)

edit - to clarify, now that I re-read your question: CORS is a collaborative protocol. A server on the Internet will serve content to anyone, in general; that the whole point of starting a web server. CORS has nothing to do with HTTP requests unless the request requests it. If you have the URL "http: // xyz / something" and you enter it in your browser address bar, the browser will immediately send an HTTP request to this site. The same origin policy (and CORS) enters the game only when some code on a page from a site in another domain (and not "xyz") tries to launch an HTTP request through XHR. In this case, the browser requests the site "xyz" for access; the default answer is no, but the browser imposing this rule, not the server.

What is the difference between node.js https request and XMLHttpRequest?

More articles: