

The fight for a cross domain XMLHttpRequest - bdfh42
http://ajaxian.com/archives/the-fight-for-cross-domain-xmlhttprequest

======
rcoder
My worry about this is that it is yet another place for the implementation
quality of your browser to be largely responsible for the security of your
data. While I think Microsoft does a fine job of security R&D, the tend to
massively fail when it comes time to actually deliver.

At a fundamental level, simplicity of mechanism has to be part of any secure
system. Every major MS stack (Windows kernel+core API, IE+ActiveX+JScript,
Office+VBA) is just too huge, and has too many little back doors around the
security infrastructure built in for performance and backwards-compatibility.

Now, if they truly willing to commit to using a substrate like Singularity for
their trusted computing base, we can talk about security.

The better way to handle this, of course, is separate browser runtimes for
separate applications, ala Prism/XULRunner. Each desktop app should have a
whitelist of hosts it's allowed to access, and sharing can be accomplished via
normal local system channels.

------
danw
In the meantime we can use jsonp to bypass cross domain restrictions

~~~
icky
Or Flash.

~~~
jauco
Do you mean "Just dump ajax and use flash" or "flash get's around the cross
domain problem"?

nevermind, google is quicker than asking questions:
<http://blog.monstuff.com/archives/000280.html>

