Future of Cross-Site Requests
By Anne van Kesteren, annevk@opera.com
By Anne van Kesteren, annevk@opera.com
http://example.org and http://example.example.org?
http://example.org and http://www.example.org?
http://example.org:80 and http://example.org?
http://xn--74h.example.org and ☺.example.org?
http://example.org:8042 and http://example.org?
https://example.org and http://example.org?
Origin is a tuple consisting of the (normalized) scheme, domain, and port.
twitter.com stream on my blog using cross-site server sent events.
Importing contact data from gmail.com into facebook.com or my.opera.com.
Manipulating calendar.yahoo.com data on 2008.xtech.org.
Sharing a single XSLT resource among several domains.
Personalized XBL-based map widget.
Talking with your CouchDB database on db.example.org from www.example.org using XMLHttpRequest.
Simplified API for fireeagle.yahoo.net.
<?access-control?> proposal by Voice Browser WG
Ian Hickson made a proposal for cross-site XMLHttpRequest using that proposal.
W3C Web API and Web Application Formats WGs are standardizing.
Policy on the server and API on the client.
Client API is simple: XMLHttpRequest, <event-source src=…>, <?xml-stylesheet?>, ….
Server API depends: HTTP GET or non-GET (such as POST, PUT, and CHICKEN).
GET Solution ("Safe")Resources specify Access-Control: allow <example.org> or Access-Control: allow <*>.
Can use <?access-control allow="*"?> for XML.
Access-Control-Origin is present in every cross-site request.
GET Solution ("Unsafe")Requires a preflight request performed by the browser.
Otherwise the same.
Access-Control-Max-Age and Access-Control-Policy-Path.
Firefox 3 has an implementation, but will not ship with it.
Interest from Opera and WebKit now the specification is more stable.
XDomainRequest or JSONRequestPart of HTML5 and soon shipping in browsers.
Allows communication between windows (frames).
Questions?