Future of Cross-Site Requests

By Anne van Kesteren, annevk@opera.com

Opera Software ASA


http://example.org and http://example.example.org?

http://example.org and http://www.example.org?

http://example.org:80 and http://example.org?

http://xn--74h.example.org and ☺.example.org?

http://example.org:8042 and http://example.org?

https://example.org and http://example.org?

Origin is a tuple consisting of the (normalized) scheme, domain, and port.


twitter.com stream on my blog using cross-site server sent events.

Importing contact data from gmail.com into facebook.com or my.opera.com.

Manipulating calendar.yahoo.com data on 2008.xtech.org.

Sharing a single XSLT resource among several domains.

Personalized XBL-based map widget.

Talking with your CouchDB database on db.example.org from www.example.org using XMLHttpRequest.

Simplified API for fireeagle.yahoo.net.

Proxy Server?

JSON callback?


<?access-control?> proposal by Voice Browser WG

Ian Hickson made a proposal for cross-site XMLHttpRequest using that proposal.

W3C Web API and Web Application Formats WGs are standardizing.


Policy on the server and API on the client.

Client API is simple: XMLHttpRequest, <event-source src=…>, <?xml-stylesheet?>, ….

Server API depends: HTTP GET or non-GET (such as POST, PUT, and CHICKEN).

GET Solution ("Safe")

Resources specify Access-Control: allow <example.org> or Access-Control: allow <*>.

Can use <?access-control allow="*"?> for XML.

Access-Control-Origin is present in every cross-site request.

Non-GET Solution ("Unsafe")

Requires a preflight request performed by the browser.

Otherwise the same.


Access-Control-Max-Age and Access-Control-Policy-Path.


Firefox 3 has an implementation, but will not ship with it.

Interest from Opera and WebKit now the specification is more stable.

XDomainRequest or JSONRequest

Cross-Document Messaging

Part of HTML5 and soon shipping in browsers.

Allows communication between windows (frames).


The End