Adrian Bateman of the IE8 team has posted a video showing how to use IE8’s new XDomanRequest object to request data from a URL that is not in the current HTML page’s domain. He also shows how to make an (almost) equivalent cross-domain call in a beta build of Firefox 3.1.
This makes use of the new Access-Control-Check header that has been inching its way through standards committes for the past few years. It works like this:
- Script running in the browser makes a request for a URL outside the current document’s domain
- The browser retrieve the requested page and examines the page’s headers for an Access-Control-Check header.
- If the page does not have an Access-Control-Check header, the browser fails the request and the script never sees the data.
- If the page has an Access-Control-Check header but the domain(s) listed in the header don’t match the domain of the document making the request, the browser fails the request and the script never sees the data.
- If the domain of the current document matches the domain spec in the Access-Control-Check header, the browser passes the data through to the waiting request in the script.
Existing web pages are automatically excluded from cross-domain requests. That is to say, script can request it and the browser will actually fetch the page, but the script will never see the results. This is slightly different from how older browsers handle cross-domain requests – the request is shut down when the browser notices that the requested URL doesn’t match the current document’s domain, before anything crosses the wire.
It seems conceivable to me that under this Access-Control-Check scheme, malicious web pages could launch a distributed Denial of Service attack against a particular server using cross-domain requests. It doesn’t matter that the script never actually receives the data, the damage has already been done by requesting the page from the target server. Is there any way for the server to ignore such requests? I don’t know. I’m sure the standards committees have discussed this at length.
This caveat aside, it’s exciting to see cross-domain support working its way into the major browsers. I look forward to tinkering with it in IE8.
Check out the video on Adrian’s blog post. You’ll probably want to download the .wmv directly to view it full screen in your local video player, as the video box in the blog post is far too small to see what is going on on the screen and the Flash player doesn’t appear to provide any way to zoom it up to a more useful size. Odd.
Found via Ajaxian