Cross-domain XHR Alternatives

Contents 1 Using a Proxy 2 Using browser code with higher rights 3 Other Client-Side Cross-domain Solutions 4 Other Solutions 4.1 JavaScript, JSONP & Co. 4.1.1 CrossSafe, Subspace 4.1.2 Subdomains only 4.2 Using Flash 4.3 Wait for some Browser-support miracle! 4.3.1 JSONRequest 4.3.2 W3C Access Control 5 Mixendo cross-domain XHR: MiXHR 6 Some bibliography

The known methods to provide working cross-domain XHR circumventing the same-policy origin are very limited, and this list is exhaustive to our knowledge. We try to describe how they work and which are the limitations.

Using a Proxy

This is a Yahoo! suggested pattern [1], and we actually implement a slightly modified version of that idea.

The main obvious limitation is the bandwidth problem; that's on us :-) .

Using browser code with higher rights

For instance a browser extension: we are working on a solution based on this approach. Stay tuned!

Other Client-Side Cross-domain Solutions

Among pure client side solutions there were CSSHttpRequest and some iFrame hacks, but none of them works in the latest browsers.

Please let us know should you know of a working client-side solution!

Other Solutions

All other solutions have strong limitations, and in particular they all require some server cooperation.

JavaScript, JSONP & Co.

Some javascript solutions exists, based on the fact that the same-policy origin does not apply to the <SCRIPT> tags; there is no pure client-side solution though. A solution requires a specifically developed server such as JSONP [2], where the server will need to return the response as JSON, but also wrap the response in the requested call back; or its extended version JSONPP.

CrossSafe, Subspace

Among theme exists a partial implementation of JSONRequest principles called CrossSafe [3], which also requires a callback parameter (like JSONP) to be implemented by foreign servers. Collin Jackson's Subspace [4] works putting together some hacks, but is rather oriented towards secure Cross-Document Messaging (XDM) [5] and cannot provide a full cross-domain XHR.

Subdomains only

For different subdomains but same same-domain you can access the iFrame with the little trick of leaving out the subdomain from the name, and thus use iFrames to implement cross-domain and still be able to access retrieved data.

Using Flash

This solution requires a hidden flash object on the webpage. In addition, Flash has its own Access Control limitations similar to W3C Access Control. You need to put an access control file on the content server telling who has the right to access it.

Wait for some Browser-support miracle!

JSONRequest

The JSONRequest [6] proposal, as well other similar alternative proposals (see later for W3C AC) requires browser vendors and/or servers to implement a suggestion which is not a standard, and as such will surely not be available any time soon.

W3C Access Control

W3C has come up with a standard called Access Control for Cross-Site requests [7], which is already implemented in Firefox 3 (though not available to webpages yet, only extensions and signed code) and Internet Explorer 8 XDomainRequest [8], [9].

Unless a server implements the http headers required by Access-Control AND allows cross-domain requests from your domain, this will not bring you any more closer to adding cross-domain xhr to your applications.

Mixendo cross-domain XHR: MiXHR

We are continuously working to improve security while adding features (eg. cookies management, cache to improve performance, etc..)

If you have other solutions to suggest we look into, or want to know more do not hesitate contacting us!

Some bibliography

• Jonathan Snook has a nicely summarized page on Cross-domain Ajax solutions