
CSSHttpRequest (CHR) is a method for cross-domain AJAX using CSS for transport. - tzury
http://nb.io/hacks/csshttprequest/
======
geuis
I don't see any flaws in the technique, and its a very cool technique. But one
problem I see is that you have to have the responding server package the data
correctly for transport via this method.

Meanwhile, doing JSONP simply requires the data on the 3rd party server be
delivered in a JSON format, while this requires the special 2kb packaging.

Its definitely a more secure way of obtaining remote data from untrusted 3rd
parties, but the trade-off is that the 3rd party has to be setup to correctly
deliver the data.

------
bprater
A beautiful hack was my first thought and then -- ugh, let the exploits begin?

~~~
lux
He does say that "Unlike JSONP, untrusted third-party JavaScript cannot
execute in the context of the calling page." I'm not sure why, and I would
assume that's as long as you never call eval(), but it would be good to know
why he thinks this is a more secure idea.

Also didn't see a list of browsers it supports. That would be helpful too. If
it's widely supported, this could be a good way to get data feeds from 3rd
party sites and not have to do any server-side processing on your end.

~~~
lux
Looking at his source, he does an eval() in the first line of his response
handler for the flickr example. I imagine you could do a JSON.parse() instead
of eval() -- preferably! -- but if he says it's secure, what about that line?

~~~
tlrobinson
They key here though is that evaluating untrusted code from a 3rd party site
is not a _requirement_ of the transport. That eval is in the client code and
it could just as easily be a safer alternative (either checking that it's
sanitary with a regex or using a library's JSON decode function)

With JSONP you necessarily have to execute untrusted code, since JSONP works
by loading JavaScript in a <script> tag.

~~~
lux
I see. Thanks for that info, I wasn't familiar with JSONP's technique. In that
case, this does sound like a pretty cool library!

------
pmjordan
Well, the examples don't work on Opera. I know the market share is tiny, but I
can't shake the feeling that this is a really fragile method.

~~~
louislouis
yup it needs to work on all browsers realistically. Good attempt though
nonetheless.

------
jmtame
I think Facebook uses 2 embedded iframes and that I hear works pretty well for
security. Is this method documented anywhere?

I used JSONP, but one of the Facebook engineers told me that was a
hacky/unsecure method.

~~~
waynep
not sure about the facebook method but dojo uses something similar

[http://www.sitepen.com/blog/2008/07/30/protected-cross-
domai...](http://www.sitepen.com/blog/2008/07/30/protected-cross-domain-
authentication-with-javascript/)

------
SingAlong
The Flickr tag search example on that page! beautiful! Cool hack.

Works on IE7, FF3 and Chrome. And as pmjordan said it doesn't work on Opera(I
use 9.52).

