- JSONP aka script tag inclusion - someone even implemented it in GWT, but it's insecure and limited by the url lenght size limit.
- IFrames, Fragment Identifiers and XHR Proxying - secure but the communication via #hash is far from perfect.
- window.name hack with from submission - that's really nice, but limited to form submission and requires server-side changes (special response format)
I liked the window.name hack the most and started implementing it in GWT. And while doing so I asked myself a question - why is it only limited to form submission? Well, it's not! You can use window.name for communication like in the #hash communication and do full XHR proxying. Look at this new (at least I didn't see it anywhere else) cross-site communication scheme:
- Create an iframe
- Encode XHR params and a dummy
localUrlin the iframe'swindow.name - Change the iframe's location to the server's proxy script (i.e. if you want to send a request to example.org, example.org needs to provide a proxy script at e.g. example.org/cross_site_proxy.html)
- The proxy script reads params from
window.nameand creates the real XHR - Fire the XHR and encode the response (all of it) in
window.name - Change the location back to
localUrl - Read the response from the iframe's
window.name
It is important to set proper caching headers for both localUrl and server's proxy script so that they will be loaded from browser's cache w/o any additional requests.
Pros:
- As secure as Fragment Identifiers XHR proxying and the original window.name hack
- Full XHR proxying like in the Fragment Identifiers XHR proxying
- No server changes needed other than providing the proxy script
I am currently finishing my proof of concept implementation in GWT and I will do a follow-up on it shortly. In the meantime it can probably be easily implemented in js libraries like dojo as they have most of the required bits already done.
What do you think?
