Making cross-sub-domain ajax (XHR) requests using mod_proxy and iframes

Making cross-sub-domain ajax (XHR) requests using mod_proxy and iframes

One of the restrictions imposed by all browser side programming languages is that one cannot make cross-domain ajax requests. This restriction comes because of the same origin policy and even sub-domain ajax calls are not allowed. In this blog post, I will demo two methods of making cross-sub-domain ajax requests. First demo will use mod_proxy module of Apache. While the second demo will use iframe and javascript tricks for making sub-domain ajax requests.

Using mod_proxy for cross-domain ajax requests
By enabling mod_proxy module of apache2, we can configure apache in reverse proxy mode. In reverse proxy mode, apache2 appears be like an ordinary web server to the browser. However depending upon the proxy rules defined, apache2 can make cross-domain request and serve data back to the browser.

Demo Link for Cross Domain Ajax using Apache mod_proxy

In this demo, I will make cross-domain request to To make this cross-domain request successful, I have configured apache2 as shown below:

  1. Enable mod_proxy module.
    $ a2enmod proxy
    $ a2enmod proxy_http
    $ a2enmod proxy_connect
  2. Add the following lines to httpd.conf:
    $ cat /private/etc/apache2/httpd.conf | grep mod_proxy
    LoadModule proxy_module libexec/apache2/
    LoadModule proxy_connect_module libexec/apache2/
    LoadModule proxy_http_module libexec/apache2/
  3. Create a file reverse-proxy.conf and add the following config:
    $ cat /private/etc/apache2/other/reverse-proxy.conf
    ProxyRequests Off
    <Proxy *>
    Order deny,allow
    Deny from all
    Allow from
    ProxyPass /webdemos/crossdomainajax/reverse-proxy-get.php
    ProxyPassReverse /webdemos/crossdomainajax/reverse-proxy-get.php

In brief, when Apache sees an incoming ajax request to /webdemos/crossdomainajax/reverse-proxy-get.php , it simply proxy pass it to and return back the response. The whole process is hidden from the users on the demo page.

Using iframes for cross-domain ajax requests
Another method of achieving sub-domain ajax requests is by using iframes. However, javascript does not allow communication between two frames if they don’t have same document.domain. The simplest of the hacks to make this communication possible is to set document.domain of the iframe same as that of the parent frame.

Demo Link for Sub-Domain Ajax using iFrames

In this demo, I will make a sub-domain request to To make this possible, I load an iframe with src="" and set document.domain=""; for the iframe.


<script type="text/javascript" src=""></script>
<script type="text/javascript">
	jQuery(function($) {
		function getTimestamp() {
				function(data) {
					$('#iframe_ajax_data', top.document).html('Server time received through iframe ajax: '+data);

		document.domain = "";
		$('#link', top.document).click(function() {

In brief, iframe-demo.php sets an onclick event on $('#link' top.document) , which makes a sub-domain ajax request to



    1. The second method deals with cases when you want to fetch data from a sub-domain. You can’t make an ajax call directly from the parent page, hence you do it through iframes.

      Consider case of facebook chat. If you see in firebug all chat related ajax are sent to which is achieved by the tricks in the second demo.

    2. Ohk.. now i get it..
      But its not actually cross browser then, to a user it may appear to be cross browser. I mean, i cant use this method to get data of some 3rd party website which is not mine (this is mostly where cross domain ajax request would come into play).

    3. guy

      For the mod_proxy approach, what IP address will the target server [] see if I go to your demo page and run it? Will the target server see my IP or your server’s IP?

      If it’s your server’s, then there’s no point in using mod_proxy.


    4. Though currently both and this blog on same server, i don’t have any data to prove this.

      But i believe you will get ip of and not in case they were on hosted on different ip servers.

      Response header also only include and have no sign that it proxied the request to internally.

    5. guy

      Good news! I enabled mod_proxy on my personal server then accessed an external url (different server) and the REMOTE_ADDR value is the client IP address.

      However, there are some additional headers: [“HTTP_X_FORWARDED_FOR”]=>
      string(9) “”
      string(14) “localhost:8080”
      string(11) “”

      As you can see, the proxy server ip and hostname are passed to the target server. Thus, I’m assuming mod_ip_forwarding specifically resolves that by NOT passing the proxy server info — which is a highly desirable thing!

      I don’t want the target server to even know about the proxy server. But I guess it’s ok for most situations — wherein only the REMOTE_ADDR value will be used by target servers.

      I have yet to install mod_ip_forwarding to see if it does the job, but I’d like to test it out.

      Thanks for the article, mate. This is a game changer for cross-scripting until future browsers support it on the client-side. At least, it’s available for the folks who have access to Apache (or their web server).

      I was in great need for this. Flash 5 was the last hope, but I recently tried it with no results.

      Kudos! Thanks!!!!

    6. guy

      One more question: Have you tried using .htaccess for the proxy rules? Having the rules in httpd.conf works fine for static stuff.

      If we could use .htaccess, that’ll make things more dynamic and powerful.

      I’ve tried a couple of rules – but none worked!

      Let me know. Thanks.

    7. guy


      One more question for you: I’ve successfully set up mox_proxy (reverse proxy) locally. I can make external ajax calls in Firefox & Safari with no problem. But I still get the Access Denied error from IE. Do you think it has to do with running things locally?

      Your proxy ajax demo works fine for me in IE. Yet, mine won’t work in IE.

      I’m thinking it might have to do with running it locally, but I’m not sure.


  1. Pingback: How to build a custom static file serving HTTP server using Libevent in C | Abhi's Weblog

  2. Pingback: Cross Domain Ajax Handler Using PHP » Swiftwater Solutions LLC

  3. bhavishya

    will the first approach (mod_proxy) will fulfill my probelme .my problem is” i want to integrate my application with other web site .in this my web site will send post request to some other web site on behalf of the user so this will set cookies in user browser than it will redirect user to that site so user does not need to provide authentication detail again”.

Leave a Reply