XMLHttpRequest cross site scripting on same server but different port

using XMLHttpRequest it is not possible to open a开发者_高级运维 connection to a document on a different domain than where the page itself is hosted.

but what about different ports?

for example I have a webserver running on my machine listening on port 80 so the webaddress would look like this:

http://localhost:80/mypage.html

and I have another webserver running on localhost which is meant to process the ajax requests but listens on a different port. so the javascript in mypage.html would look like this:

var xmlhttprequest = new XMLHttpRequest(); 
xmlhttp.open("GET", "http://localhost:1234/?parameters", true); 
xmlhttp.send();

would this work? or will it give a security exception as well?

Using a different port does indeed count as cross-site scripting.

There are several well-known ways to make a call (you can always send the data) and use the response (which is what you cannot normally do under anti-xss constraints), including JSONP and using an iframe in the page to load the data.

This wouldn't go as it is still practically on another server (at least another server instance, which may not be under your control).

You could add a Access-Control-Allow-Origin: http://yourdomain:1234/ in headers, google for Cross-Origin Resource Sharing. It's relativelly new though, not all browsers know about this. Or you can use jQuery (read more on http://softwareas.com/cross-domain-communication-with-iframes).