jquery - cross domain ajax form post --- How is this allowed?

Question

I am using jQuery and jQuery form plugin

There is a method in jQuery form plugin ajaxSubmit. You pass a form and then it submits it via ajax and you get a response. I am wondering how this is possible since the form is on a different server than the web page. (Different domains). It appears to work and I get back a response that I can process. How does this work?

domain form is hosted on (http://example.com)

form url: 127.0.0.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
    <title>PHP Point Of Sale</title>
    <script src="<?php echo base_url('/assets/js/jquery.js'.'?'.APPLICATION_VERSION); ?>"></script>
    <script src="<?php echo base_url('js/jquery.form.js'.'?'.APPLICATION_VERSION); ?>"></script>
</head>

<body>

    <form id="formCheckout" method="post" action="<?php echo $form_url; ?>">
        <?php foreach($post_data as $key=>$value) { ?>
            <?php echo form_hidden($key, $value);?>
                <?php } ?>
    </form>

    <script>
        $("#formCheckout").ajaxSubmit({
            success: function(response) {
                console.log(response);
            }
        });
    </script>
</body>

</html>

Answer 1

If the server has a response header of 'Access-Control-Allow-Origin': '*' or something similar, it will return a response.

In short, this has nothing to do with jQuery, and has everything to do with the server.

In the case above, * is a wildcard representing all origins. But it could also specify a list of origins.

Keep in mind, even in CORS requests, you can always send a request to the server, and the server will always receive it. It will only return a response though if it wants to (in this case, with the access control header, it will.)

If the server didn't have that header, then you'll get the common error in the console saying that XMLHTTPRequest could not complete because the server does not allow cross-origin communication or whatever the heck it says.

It depends on the architecture the server is using, but if it's a Node.js server using Express (for example), you'd see something like this is the server.js file or wherever:

app.use(function(req, res) { res.header('Access-Control-Allow-Origin', '*') });

The approach would be vastly different on different sever architectures (like Apache), but the header is standardized as part of HTTP, so that part stays the same.

See AJAX Cross Domain for an example.