Simon Willison’s Weblog

flXHR. I was looking for something like this recently, glad to see it exists. flXHR is a drop-in replacement for regular XMLHttpRequest which uses an invisible Flash shim to allow cross-domain calls to be made, taking advantage of the Flash crossdomain.xml security model.

# 26th November 2009, 12:52 pm / flash, swf, flxhr, xhr, ajax, javascript, crossdomain

Firefox 3.5 for developers. It’s out today, and the feature list is huge. Highlights include HTML 5 drag ’n’ drop, audio and video elements, offline resources, downloadable fonts, text-shadow, CSS transforms with -moz-transform, localStorage, geolocation, web workers, trackpad swipe events, native JSON, cross-site HTTP requests, text API for canvas, defer attribute for the script element and TraceMonkey for better JS performance!

# 30th June 2009, 6:08 pm / firefox, html5, dragndrop, audio, video, offlineresources, fonts, textshadow, csstransforms, localstorage, geolocation, webworkers, json, crossdomain, canvas, tracemonkey, javascript, performance, browsers, mozilla, firefox35

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs.

# 19th November 2008, 8:40 am / accesscontrol, john-resig, ie, browsers, security, crossdomain

CSSHttpRequest (via) Devious cross-domain Ajax hack that uses CSS for transport (@import rules with data URIs, but it still works in IE). Similar to JSONP but safer, since JSONP can cause arbitrary JavaScript to execute.

# 23rd October 2008, 6:25 pm / json, jsonp, javascript, ajax, crossdomain, css, atimport, csshttprequest

window.name Transport. The cleverest use of the window.name messaging hack I’ve seen yet: Dojo now has dojox.io.windowName.send for safe, performant cross-domain messaging.

# 23rd July 2008, 4:25 pm / crossdomain, windowname, dojo, javascript

xssinterface (via) Clever JavaScript library for implementing opt-in cross-domain messaging in JavaScript (allowing communication between pages and iframes on different domains). Uses HTML 5’s postMessage API if available, otherwise falls back on either Google Gears or a clever cookie hack.

# 5th March 2008, 12:08 am / xssinterface, crossdomain, javascript, html5, postmessage

Cross-Site XMLHttpRequest (via) “Firefox 3 implements the W3C Access Control working draft, which gives you the ability to do XMLHttpRequests to other web sites”—you can mark a document as available for cross-domain requests using either an Access-Control HTTP header or an XML processing instruction.

# 9th January 2008, 11:57 pm / xmlhttprequest, crossdomain, ajax, javascript, john-resig, accesscontrol, w3c, firefox, firefox3, mozilla, http, xml

hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order.

# 28th September 2007, 9:10 am / csrf, stuart-langridge, crossdomain, json, api, accounts

Google AJAX Feed API (via) Simple cross-domain proxy to allow JavaScript to access any publically addressable syndication feed, with the same logic as Google Reader providing normalisation.

# 18th April 2007, 5:29 pm / google-reader, ajax, javascript, crossdomain, google, rss, feed, atom, syndication

XMLHttpRequests using an IFrame Proxy (via) Another scary hack abstracted away by Dojo.

# 1st August 2006, 5:40 pm / dojo, crossdomain, ajax, javascript, xmlhttprequest