{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 看我几分像从前 的问题《Restrict Cross Domain Ajax request》','https://www.manongdao.com/q-338664.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have web application (In java) where I need to restrict Cross Domain request through Ajax call in any browser (Including IE restricting XDomainRequest object) through jquery or simple javaScript ajax call.
My ultimate aim it to restrict it while the call is made either through some browser setting or setting response header so it wont make the call in the first point itself.
If same-orgin policy is a solution pls do explain how it is addressed.
Thanks and regards, Oceanvijai
You can control which domains you accept AJAX requests from via the Access-Control-Allow-Origin response header. If the header is missing, only requests from the same domain are allowed.
Update: if you want to disallow even the initiation of AJAX requests, you could try
X-Content-Security-Policy:xhr-src 'none', but I can't imagine any situation where that would be useful. Maybe you could explain the situation in a little more detail?