Simon Willison’s Weblog

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs. 19th November 2008, 8:40 am

CSSHttpRequest (via) Devious cross-domain Ajax hack that uses CSS for transport (@import rules with data URIs, but it still works in IE). Similar to JSONP but safer, since JSONP can cause arbitrary JavaScript to execute. 23rd October 2008, 6:25 pm

window.name Transport. The cleverest use of the window.name messaging hack I’ve seen yet: Dojo now has dojox.io.windowName.send for safe, performant cross-domain messaging. 23rd July 2008, 4:25 pm

xssinterface (via) Clever JavaScript library for implementing opt-in cross-domain messaging in JavaScript (allowing communication between pages and iframes on different domains). Uses HTML 5’s postMessage API if available, otherwise falls back on either Google Gears or a clever cookie hack. 5th March 2008, 12:08 am

Cross-Site XMLHttpRequest (via) “Firefox 3 implements the W3C Access Control working draft, which gives you the ability to do XMLHttpRequests to other web sites”—you can mark a document as available for cross-domain requests using either an Access-Control HTTP header or an XML processing instruction. 9th January 2008, 11:57 pm

hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order. 28th September 2007, 9:10 am

Google AJAX Feed API (via) Simple cross-domain proxy to allow JavaScript to access any publically addressable syndication feed, with the same logic as Google Reader providing normalisation. 18th April 2007, 5:29 pm

XMLHttpRequests using an IFrame Proxy (via) Another scary hack abstracted away by Dojo. 1st August 2006, 5:40 pm