Saturday, February 11, 2012

EasyXDM – Crossdomain javascript done right


Cross-domain requests are frowned upon by browser vendors and with good reason – they are a huge security vulnerabilityXSS vulnerabilities are one of the biggest nightmares for web security experts. Those ugly things can do anything from stealing user data to plastering their browser with popup ads. Worse yet, they can appear on your site through no fault of your own!
And yet, sometimes all you really need is to do a controlled cross-domain request and all your troubles go away. Maybe you’re crating an embeddable widget for the wordpress dashboard, or just want to list github repositories on your website without taxing the server. Or a bookmarklet. A sharing widget maybe?
Here are just some of the hacks we’ve all used before:
  • JSONP – execute arbitrary unchecked code right in your app
  • iframes – communication through URL fragments, changing window names and just generally create a big unmaintainable mess
  • proxies – a long client-server-API-server-client roundtrip
  • URL fragments – let’s just populate the browser history with a bunch of odd #something entries, OAuth2 uses this
To add insult to injury, not only do all these hacks come with a bunch of problems of their own – they don’t even solve the problem. All of them restrict what you can send (small-ish strings only), how it should be encoded and generally come with big latencies.
There’s a better way. Something all the big players are already using but you don’t know about it. In fact until a week ago I didn’t either and I follow the web tech scene pretty closely.

EasyXDM

EasyXDM gives you the ability to make cross-domain requests securely from a client to a server and even from a client to a client. The real beauty of it is that it can even open a socket-like device that you can use to communicate rather efficiently … in every browser. Even IE6.

No comments: