As mashups are getting more and more common a problem that keeps arising is how to include data from external domains in a safe way.
The reason why this is difficult is because the current implementations of the XMLHttpRequest API disallows access to other domains as a security measure (to avoid CSRF/XSRF).
Even though newer browsers are getting support for this using the crossdomain.xml policy file, this is still a feature that older browsers are unable to use.
So how can this be done with easyXDM? Well, it’s actually quite easy as easyXDM is actually shipped with a /cors/ (index.html) interface that exposes an easyXDM.Rpc instance that again exposes the following interface
request: function(config, fn){ ..... }
To take us of this on the consumer you simply need the following code
var xhr = new easyXDM.Rpc({ remote: "http://other.domain/cors/" }, { remote: { request: {} // request is exposed by /cors/ } });
With this up and running you can use
xhr.request({ url: "pathRelativeToRemote/getrest/", method: "POST", data: {foo:"bar"} }, function(response) { alert(response.status); alert(response.data); });
There you go, cross domain ajax!
The /cors/ implementation will adhere to the CORS standard and will verify the related headers before returning the response. If you want to skip this, then you can simply white-list all domains in the interface.
Note: This is for your security – you don’t want to go exposing all the resources on your domain to anyone now do you?
For more information: see the readme at github.
You can find the demo here.