Wednesday, July 26th, 2006p>Peter Nixey has written a piece on his frustrations with the lack of cross domain XHR in his current applications.
External JSON is extremely dangerous as it is arbitrary third-party code executed in the scope of the current web-page. It can be used to steal passwords or data present in the current scope. JSON is also a non-generalised data standard and requires new server-side libraries and code.
XML is already a data standard in wide use with API’s present in most programming languages. It’s inert, human-readable and highly compressible using gzip.
Any cross domain XHR must be server opt-in (rather than opt-out) or else we leave all non-enabled servers vulnerable to brute-force attacks.
Agreement can very simply be communicated by having the server send a header authorising cross-domain use of the data.
… any thoughts?
Posted by Dion Almaer at 9:39 am