Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request. Cross-site HTTP requests initiated from within scripts have been subject to well-known restrictions, for well-understood security reasons.
The Web Applications Working Group within the W3C has proposed the new Cross-Origin Resource Sharing (CORS) recommendation, which provides a way to web servers to securely handle cross site requests.
The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser.
A simple cross site request happen when we will make an https ajax request for login from a page loaded with http protocol (I will give an example of this). This can be happen for an http ajax call to a separate domain.
Example:
Here I will show how to make an https ajax call to a WCF service from a page loaded with http.
From the javascript you should make the request in the following way
var url = “https://serveraddress/service1.svc/UserInfo”
var invocation = new XMLHttpRequest();
var invocationHistoryText;
function UserInfo() {
if (invocation) {
invocation.open('GET', url, true);
invocation.onreadystatechange = handler;
invocation.send();
}
else {
alert("No Invocation TookPlace At All");
}
}
function handler(evtXHR) {
if (invocation.readyState == 4) {
if (invocation.status == 200) {
var response = invocation.response;
alert(response);
}
else
alert("Invocation Errors Occured");
}
}
And from the service we need to add header Access-Control-Allow-Origin with value http://Serveraddress to allow cross site request.
public string UserInfo()
{
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "http://serveraddress");
return "This is your information";
}
Visit for details https://developer.mozilla.org/En/HTTP_access_control
