Thursday, January 15th, 2009

Access Control in IE 8

Category: IE

Adrian Bateman of the IE 8 team created a screencast showing the Access Control work that has been done:

I’m happy to announce that we have recently completed our support for the Access Control Check using the Access-Control-Allow-Origin header defined by the updated spec. This means that, in addition to the wildcard check (looking for *) that we supported in Beta 2, we also now support the origin URL check. This support will be part of the next public release of IE that Dean announced a few weeks ago.

I have recorded a short video that demonstrates how to use XDR and what this announcement means. It also shows how the Access Control framework is supported by other browsers allowing interoperable services to be called from your pages.

Posted by Dion Almaer at 5:18 am

3.3 rating from 23 votes


Comments feed TrackBack URI

Why didn’t they used the XmlHttpRequest object just like firefox and the others?? Now we have to make two versions, one for IE and one for the others…

Comment by ArianStolwijk — January 15, 2009

Am I alone is really not caring about any IE8 news? I’ve lost so much interest in trying to support IE6 and 7 over Firefox, Safari and Chrome that I no longer care about more junkware eminating from Redmond.

Comment by spyke — January 15, 2009

>>Am I alone is really not caring about any IE8 news?
All I want from them is to put in the stuff all the other guys have. If all I get is a less-crashy IE7, that’s OK, I guess.

Comment by Nosredna — January 15, 2009

This video could have been shortened by five minutes if he’d just copy and pasted his code in. Instead it’s just a boring piece showing someone typing code. Microsoft could learn something about developer presentations watching the RailsCast videos.

And where is the Safari demo anyway. Is this ‘cool’ stuff really cross-browser compatible, of is Microsoft still in denial that Apple exists?

Comment by HG — January 15, 2009

No, you’re not alone. If for nothing else then IE’s *History* I would never again use “features” from IE except for just making sure my stuff at least *works* in IE…
6 years with no updates, 10 years with consistently breaking standards and now almost 3 years without pushing IE7 out over automatic Windows Update.
Not to mention that all the other browsers are researching into JITing JavaScript and runs a *gazillion* times faster and all that stuff – and a gazillion times more *stable*…!
Sorry IE team, it’s probably not your fault, I know. You might be great guys and maybe even great developers – but I COULDN’T CARE LESS…!

Comment by ThomasHansen — January 16, 2009

The W3C Cross-Site Access Control specification is an important step forward in the evolution of browser applications, and includes a number of different headers, such as:


Unfortunately, it appears that the IE8-specific XDomainRequest API does not support all of these features yet. For example, only “GET” and “POST” methods, no application-specific headers and no credentials.

Given that Firefox has demonstrated how to address security concerns and maintain backwards compatibility with same-origin XMLHttpRequest, while adding full support for W3C Cross-Site Access Control, the technical benefit of creating a separate (and incomplete) API for IE8 is unclear. For example, why not complete the feature set, and then rename XDomainRequest to XMLHttpRequest?

Microsoft would gain increased developer goodwill by avoiding such divergence if it is not necessary, but maybe that would make writing Ajax applications too easy. :-)

Comment by JohnFallows — January 17, 2009

Leave a comment

You must be logged in to post a comment.