Comments on: Cross-Site XMLHttpRequest in Firefox 3

By: stefanoc

stefanoc — Wed, 25 Feb 2009 12:51:29 +0000

Yes, W3C AC is basically like crossdomain.xml in Flash; and yes, W3C AC does not really open cross-domain for developers - as you depend on the server crossdomain access control to use it, so it's protecting the server and not facilitating development of mash-up applications! At Mixendo.com we have an approach to provide cross-domain AJAX based on the "proxy" pattern. Include our cross-domain xhr javascript and: 1) keep using the XMLHttpRequest object as usual - just, it's cross-domain enabled 2) you can make both GET and POST requests which is vital considering that GET is limited in length! 3) our proxy can take care of cookies, mandatory for some websites 4) we have an improved cross-domain security model, the developer has to declare which sources his application is going to connect to so that the user know what's going on. It's not a perfect solution, but it's a little improvement. Please have a tour on our Mixendo Developers Website to learn more about our MiXHR Service and other upcoming cross-domain/mash-up solutions.

By: tlrobinson

tlrobinson — Tue, 22 Apr 2008 22:32:07 +0000

So this is basically like crossdomain.xml in Flash??

By: luca

luca — Thu, 10 Apr 2008 14:55:47 +0000

maybe this will light you up
http://websecurity.ro/blog/2008/04/10/cross-domain-requests-will-be-back/

By: stauren

stauren — Tue, 29 Jan 2008 08:47:39 +0000

I think this could enable some kind of attacks like, using js to steal the password in the page and send back to the attacker’s sever by xmlhttp request.
This is normally not available, but in FF3 this is available if the attacker had configured his own server correctly!

By: pool

pool — Mon, 14 Jan 2008 15:32:11 +0000

Beside if this is a ‘good’ or ‘bad’ thing, I think it would still take half a decade to use this method unobtrusively in web applications. (since this would probably be the time Microsoft needs to adobt this and all it’s users upgraded)

By: alexeiwhite

alexeiwhite — Fri, 11 Jan 2008 19:42:04 +0000

I think there is a huge need for this. Bottlenecks on proxies, easy integration of Ajax components that connect to a central webservice, etc.

By: pwb

pwb — Fri, 11 Jan 2008 06:35:28 +0000

The risks are actually pretty huge. The biggest being infiltration behind firewalls. A malicious server could serve a cross-domain script that essentially robots through an unsuspecting surfer’s intranet.

By: linizou

linizou — Fri, 11 Jan 2008 03:18:35 +0000

cross-site XMLHTTPRequests helpful .

By: ded

ded — Fri, 11 Jan 2008 02:02:43 +0000

wasn’t there plans to implement the cross-site jsonrequest function proposed from crockford almost 2 years ago?

By: Hans Schmucker

Hans Schmucker — Fri, 11 Jan 2008 00:50:15 +0000

Protecting the user is exactly the reason why we need cross-site XMLHTTPRequests… as stated before we could use JSON, but getting data from JSON without using exec (which should never be done with data that you get from a thirdparty server) is a pain. A crosssite XMLHttprequest is much safer… I mean, what harm can it to as long as protected data is not marker allow=â€*â€, which hopefully nobody in their right mind would do…

By: bander

bander — Thu, 10 Jan 2008 18:30:37 +0000

It's protecting the client from having its cookie-authenticated data exposed to malicious sites. And yeah, bnye, unprotected JSON (or Javascript, even more so) is basically allow="*". So if you want to allow other sites to use data associated with your users, totally. If not, protect your JSON.

By: bnye

bnye — Thu, 10 Jan 2008 17:54:08 +0000

Is this a good place to use Json instead?