Ajax cross-domains

I’d really like to see Ajax‘s XMLHttpRequest changed just a tad: Instead of refusing cross-domain requests, I’d like it to try the request but return a permissions error to the caller if the headers returned from the server do not include a specific header, perhaps “XMLHttpRequest: Allowed”

This would allow people trying to develop syndication (like WireTap) to permit remote Ajax clients to pull the data.

I’d also like a well-defined header from the client, e.g. “XMLHttpRequest: requesting page“, that can be filtered on: if someone pulls a wiretap XML page into their browser, I’d like it to be fully self-documenting. However, when the page is being pulled programatically through XMLHttpRequest, it ought to be barebones.

Unfortunately, there doesn’t appear to be an Ajax standards body.


Heh, I’m actually looking forward to RDF becoming more prevalent – ok, doesn’t quite work with doing it at the client end – but does give a very nice method to work with merging datasets from disparate website data feeds.

Of course, there’s always the hope that if it takes off then people will be able to use it for client side programming too :)

I have not tried, but do the browser send the same USER_AGENT and HTTP_ACCEPT http headers in both kind of requests? At least those are the usual headers to distinguish between browsers/devices.

You could also have a different set of urls, using something like a preffix, suffix etc. so the regular users could get the response post-processed to document it, while the XMLHttpRequest could call the XML content directly.

At least that’s how we usually do it.

Hi again, a quick test in one of my applications and Firebug tells me that, at least using Ext JS, the AJAX requests send an extra http header called “X-Requested-With” and value “XMLHttpRequest”. The other headers are the same.

Google, google and it seems it is a custom thing depending on the library used but many libraries use it. However, that means it’s not standard and included by the XMLHttpRequest object itself.

Tough luck, it seems.

Someone here should start the AJAX Standards Body.

:) *looks around the room at programmers suddenly looking away from him*

It is being implemented in Firefox3 by using a cross-domain policy on the server. I’m not aware of IE8 implementing any cross-domain policy ability though.



Anyway, I was actually rather surprised to see the Firefox 3 implementation. There may be hope yet.

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

%d bloggers like this: