Simon Willison’s Weblog

flXHR. I was looking for something like this recently, glad to see it exists. flXHR is a drop-in replacement for regular XMLHttpRequest which uses an invisible Flash shim to allow cross-domain calls to be made, taking advantage of the Flash crossdomain.xml security model.

# 26th November 2009, 12:52 pm / ajax, crossdomain, flash, flxhr, javascript, swf, xhr

Firefox 3.5 for developers. It’s out today, and the feature list is huge. Highlights include HTML 5 drag ’n’ drop, audio and video elements, offline resources, downloadable fonts, text-shadow, CSS transforms with -moz-transform, localStorage, geolocation, web workers, trackpad swipe events, native JSON, cross-site HTTP requests, text API for canvas, defer attribute for the script element and TraceMonkey for better JS performance!

# 30th June 2009, 6:08 pm / audio, browsers, canvas, crossdomain, csstransforms, dragndrop, firefox, firefox35, fonts, geolocation, html5, javascript, json, localstorage, mozilla, offlineresources, performance, textshadow, tracemonkey, video, webworkers

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs.

# 19th November 2008, 8:40 am / accesscontrol, browsers, crossdomain, ie, john-resig, security

CSSHttpRequest (via) Devious cross-domain Ajax hack that uses CSS for transport (@import rules with data URIs, but it still works in IE). Similar to JSONP but safer, since JSONP can cause arbitrary JavaScript to execute.

# 23rd October 2008, 6:25 pm / ajax, atimport, crossdomain, css, csshttprequest, javascript, json, jsonp

window.name Transport. The cleverest use of the window.name messaging hack I’ve seen yet: Dojo now has dojox.io.windowName.send for safe, performant cross-domain messaging.

# 23rd July 2008, 4:25 pm / crossdomain, dojo, javascript, windowname

xssinterface (via) Clever JavaScript library for implementing opt-in cross-domain messaging in JavaScript (allowing communication between pages and iframes on different domains). Uses HTML 5’s postMessage API if available, otherwise falls back on either Google Gears or a clever cookie hack.

# 5th March 2008, 12:08 am / crossdomain, html5, javascript, postmessage, xssinterface

Cross-Site XMLHttpRequest (via) “Firefox 3 implements the W3C Access Control working draft, which gives you the ability to do XMLHttpRequests to other web sites”—you can mark a document as available for cross-domain requests using either an Access-Control HTTP header or an XML processing instruction.

# 9th January 2008, 11:57 pm / accesscontrol, ajax, crossdomain, firefox, firefox3, http, javascript, john-resig, mozilla, w3c, xml, xmlhttprequest

hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order.

# 28th September 2007, 9:10 am / accounts, api, crossdomain, csrf, json, stuart-langridge

Google AJAX Feed API (via) Simple cross-domain proxy to allow JavaScript to access any publically addressable syndication feed, with the same logic as Google Reader providing normalisation.

# 18th April 2007, 5:29 pm / ajax, atom, crossdomain, feed, google, google-reader, javascript, rss, syndication

XMLHttpRequests using an IFrame Proxy (via) Another scary hack abstracted away by Dojo.

# 1st August 2006, 5:40 pm / ajax, crossdomain, dojo, javascript, xmlhttprequest