- JSONP aka script tag inclusion - someone even implemented it in GWT, but it's insecure and limited by the url lenght size limit.
- IFrames, Fragment Identifiers and XHR Proxying - secure but the communication via #hash is far from perfect.
- window.name hack with from submission - that's really nice, but limited to form submission and requires server-side changes (special response format)
I liked the window.name hack the most and started implementing it in GWT. And while doing so I asked myself a question - why is it only limited to form submission? Well, it's not! You can use window.name for communication like in the #hash communication and do full XHR proxying. Look at this new (at least I didn't see it anywhere else) cross-site communication scheme:
- Create an iframe
- Encode XHR params and a dummy
localUrlin the iframe's
- Change the iframe's location to the server's proxy script (i.e. if you want to send a request to example.org, example.org needs to provide a proxy script at e.g. example.org/cross_site_proxy.html)
- The proxy script reads params from
window.nameand creates the real XHR
- Fire the XHR and encode the response (all of it) in
- Change the location back to
- Read the response from the iframe's
It is important to set proper caching headers for both localUrl and server's proxy script so that they will be loaded from browser's cache w/o any additional requests.
- As secure as Fragment Identifiers XHR proxying and the original window.name hack
- Full XHR proxying like in the Fragment Identifiers XHR proxying
- No server changes needed other than providing the proxy script
I am currently finishing my proof of concept implementation in GWT and I will do a follow-up on it shortly. In the meantime it can probably be easily implemented in js libraries like dojo as they have most of the required bits already done.
What do you think?