At some point in their life every web developer will think to themselves “Ah! All I need is to make a cross-domain request on the client and the problem becomes trivial!”
Now you have two problems.
Cross-domain requests are frowned upon by browser vendors and with good reason – they are a huge security vulnerability. XSS vulnerabilities are one of the biggest nightmares for web security experts. Those ugly things can do anything from stealing user data to plastering their browser with popup ads. Worse yet, they can appear on your site through no fault of your own!
And yet, sometimes all you really need is to do a controlled cross-domain request and all your troubles go away. Maybe you’re crating an embeddable widget for the wordpress dashboard, or just want to list github repositories on your website without taxing the server. Or a bookmarklet. A sharing widget maybe?
Here are just some of the hacks we’ve all used before:
- JSONP – execute arbitrary unchecked code right in your app
- iframes – communication through URL fragments, changing window names and just generally create a big unmaintainable mess
- proxies – a long client-server-API-server-client roundtrip
- URL fragments – let’s just populate the browser history with a bunch of odd #something entries, OAuth2 uses this
To add insult to injury, not only do all these hacks come with a bunch of problems of their own – they don’t even solve the problem. All of them restrict what you can send (small-ish strings only), how it should be encoded and generally come with big latencies.
There’s a better way. Something all the big players are already using but you don’t know about it. In fact until a week ago I didn’t either and I follow the web tech scene pretty closely.
EasyXDM gives you the ability to make cross-domain requests securely from a client to a server and even from a client to a client. The real beauty of it is that it can even open a socket-like device that you can use to communicate rather efficiently … in every browser. Even IE6.
Here’s what the creators have to say about it.
At the core easyXDM provides a transport stack capable of passing string based messages between two windows, a consumer (the main document) and a provider (a document included using an iframe). It does this by using one of several available techniques, always selecting the most efficient one for the current browser.
For all implementations the transport stack offers bi-directionality, reliability, queueing and sender-verification.
This library would have been a godsend a few years ago when I was developing a social sharing bookmarklet, it would even have been a godsend a few months ago when I was working on a product that sorely needed this so it would be less hackable and I had to bend over backwards to make it “more secure”.
I know you’ve already tried implementing cross-domain communication on your own. I know you ended up with a hacky solution that kind of worked when the planets aligned and you sacrificed an albino bull to Zeus while standing on your left leg.
Instead of going on like that, give easyXDM a try, I have a feeling you might like it.
- Backbone REST API recommendation / crossdomain (stackoverflow.com)
- A Single-Site Browser’s impact on XSS, CSRF, and Clickjacking (whitehatsec.com)
- Celebrations at Crossdomain (crossdomainsolutions.wordpress.com)
- Third-Party Web Widget Security FAQ (jeremiahgrossman.blogspot.com)
- xdm and getty Confusion on Ubuntu 11.04 (zorinaq.com)
- Crossdomain Crosses the 50th Mark on the blog posts (crossdomainsolutions.wordpress.com)