Creating a Cross Domain Access Policy

The XMLHttpRequest object allows scripts to perform HTTP client functionality, such as submitting form data or loading data from a server. Today's web browsers impose a security restriction on the use of XMLHttpRequest. You are not allowed to make XMLHttpRequests to any server except the server where your web page came from. For example, if both your web application and the data required for that application come from the same web server, then there is no restriction. But, if your web application is on one server and you make a request to a different server, the browser prevents the connection from opening. It is possible to bypass this security, however.

You can create a resource profile that determines whether or not to impose this restriction and to what level. By default, this restriction is bypassed and cross domain access is allowed.

To create a cross domain access policy:

1.In the admin console, choose Users > Resource Policies > Web.

2.If your administrator view is not already configured to show cross-domain policies, make the following modifications:

  1. Click the Customize button in the upper right corner of the page.
  2. Select the Rewriting check box.
  3. Select the Cross Domain Access check box below the Rewriting check box.
  4. Click OK.

3.Select the Rewriting > Cross Domain Access tab.

4.On the Cross Domain Access page, enter a name to label this policy (required) and a description of the policy (optional).

5.In the Resources section, specify the URLs to which this policy applies.

6.In the Roles section, specify:

Policy applies to ALL roles - To apply this policy to all users.

Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

7.In the Action section, specify:

Allow Cross Domain Access - To not impose any restriction and allow cross domain access.

Deny XMLHttpRequest Cross Domain Access only - To deny cross domain access if the XMLHttpRequest object is used in the call.

Deny all Cross Domain Access - To deny cross domain access regardless of whether or not the XMLHttpRequest object is used in the call.

Use Detailed Rules - To specify one or more detailed rules for this policy.

8.Click Save Changes.