Session

Handling Cross-domain XMLHttpRequests

Premshree Pillai, Technical Yahoo!, Yahoo! Inc.

Track: JavaScript/Ajax
Date: Wednesday, July 26
Time: 10:45am - 11:30am
Location: Portland 255

XMLHttpRequest objects are the little-known heroes that make all the cool Web 2.0 stuff possible. Now one well known "problem" with the XMLHttpRequest object is the difficulty in making cross-domain XMLHttpRequests. In practice, it is not possible to make cross-domain XMLHttpRequests.

Given the number of web services we can make use of -- Yahoo! Web services, Google, Flickr, etc. -- in Ajax apps (meaning those where we use XMLHttpRequest objects), we need a solution to overcome the XMLHttpRequest object's cross-domain limitation.

The typical solution used to overcome the cross-domain limitation is to use a server-side script-based proxy -- a local server script that internally makes HTTP requests to the external web service. Now this is a simple solution -- no doubt -- but this requires that you create a new proxy for every web service that you use. Since, essentially, the script-based proxy is just, well... a proxy, wouldn't it be better to have a simpler solution, one where you don't need to take the trouble of creating a script for each proxy?

This presentation will talk about other solutions that can be used to overcome XMLHttpRequest's cross-domain problems:

  1. Overriding browser security
  2. The "script" hack: adding a script node dynamically
  3. An Apache-based proxy