The key to centralized AJAX services

The Problem: Same Origin

While working on a top secret project at We-Create, I was faced with a road block regularily encountered by many web developers: the ‘Same Origin‘ security policy. Simply put, it’s the security restrictions in the web browser that confines actions to the same domain where the page is located. For example, in accordance with the policy, JavaScript running on this page in Jeffreysambells.com should only communicate with JeffreySambells.com and be denied access to any other domains. Usually this isn’t a problem as the policy doesn’t apply to loading non dynamic objects such as images from other domains, and most AJAX requests will be between the browser and JeffreySambells.com. As well, to protect against Cross Site Scripting (XSS), it makes sense to disallow seemingly random requests to other domains. The problem arises in places such as my top secret project where I require a centralized data service on one domain which communicated via AJAX with pages viewed on other domains. With the ‘Same Origin’ security policy this isn’t possible using any traditional AJAX methods! But it is possible with a little JavaScript trickery. Read the rest of this entry »