Blogger :
Ajaxian Blog
All posts :
All posts by Ajaxian Blog
Category :
XML
Blogged date : 2008 Jan 10
John Resig has written up documentation of Cross-Site XMLHttpRequest that discusses the W3C Access Control working draft which Firefox 3 implements.
He gives us a nice example:
In a nutshell, there are two techniques that you can use to achieve your desired cross-site-request result: Specifying a special Access-Control header for your content or including an access-control processing instruction in your XML.
In HTML:
PHP:
-
-
header('Access-Control: allow <*>'); ?>
-
John Resig
-
In XML:
XML:
-
-
<?xml version="1.0" encoding="UTF-8"?>
-
<?access-control allow="*"?>
-
>>John Resig>>
-
And the XHR code itself isn't different from any other XHR code:
JAVASCRIPT:
-
-
var xhr = new XMLHttpRequest();
-
xhr.open("GET", "http://dev.jquery.com/~john/xdomain/test.php", true);
-
xhr.onreadystatechange = function(){
-
if ( xhr.readyState == 4 ) {
-
if ( xhr.status == 200 ) {
-
document.body.innerHTML = "My Name is: " + xhr.responseText;
-
} else {
-
document.body.innerHTML = "ERROR";
-
}
-
}
-
};
-
xhr.send(null);
-
Some are excited to see the cross domain work, and some are concerned.... e.g.
I agree with Thomas. I never understood the NEED to modify the client security model to allow for this. If this is something the software needs to do, then the developer can implement a proxy on the server side. At least in this way the developer has sole discretion on the connections. Just more to go wrong if you ask me.
-
I'm still under the impression - and correct me if I'm wrong - that all these means are tailored to protect the server and its documents. But I thought the issue was to protect the client!
-
What exactly is the reason we need this? Has anybody here really understood why XMLHttp is currently limited to one host and cannot communicate cross-domain? I really do not understand that. If XMLHttp cannot do this by default, why it is still possible to load scripts and images from other servers? Why can I do exactly the same type of cross-domain communication using Flash, maybe using Silverlight in the future? What is the original reason for this limitation? Is this documented anywhere?
If, as mentioned in the spec, HTTP DELETE is problematic, because it may delete data, why cannot we filter such actions when detecting a cross-domain communication? GET and POST are possible in the same way when submitting simple form. It is even possible to generate these form elements dynamically. And this also works cross-domain. At least these two HTTP methods should be enabled by default to allow cross-domain communication. The open web, as often mentioned by Alex Russell, really needs features comparable with closed source software e.g. Flash or Silverlight.
-
I agree with those saying that this spec is misguided. But bothering users too much is also not good. How are they to know in every case what things mean?
What do you think?
Contents
ReBlogger Contents
Email TopXML