The browser security model dictates that XMLHttpRequest, frames, etc. must have the same domain in order to communicate. There are traditionally three solutions to solving this problem:

  • Local proxy; Needs infrastructure and you get double-taxed on bandwidth and latency
  • Flash: Remote host needs to deploy a crossdomain.xml file, Flash is relatively proprietary and opaque to use, requires learning a one-off moving target programming langage
  • Script tag; Difficult to know when the content is available, no standard methodology, can be considered a “security risk”

There is a new technology agnostic standard methodology for the script tag method for cross-domain data fetching: JSON with Padding, or simply JSONP. When the script loads, it executes. It works because the same-origin policy doesn’t prevent dynamic script insertions and treats the scripts as if they were loaded from the domain that provided the Web page.

Leave a Reply