Skip to main content

HTML5 XmlHttpRequest 2 v/s Flash\Silverlight approach to cross-origin requests

A few days back I had posted on XmlHttpRequest Level 2, describing how cross-origin requests can be achieved. A few folks on my team asked me how different it is from Flash\Silverlight's approach to achieve cross domain request\response with crossdomain.xml. The approach that these plugins take to send a request and receive a response is completely different from that of XmlHttpRequest's approach.

In case of Flash\Silverlight a policy file crossdomain.xml is created for the site. This file would contain a list of all sites that can make a cross domain request to this site. For example, if http://yoursite.com lists http://friendssite.com in crossdomain.xml file, then http://friendssite.com is allowed to access all the resources of http://yoursite.com. Here the access control mode is set to per site. XHR 2 on the other hand, follows a different approach altogether. It works on the per page access control model. In this case, every page has to respond with a 'Access-Control-Allow-Origin' header to the foreign site. With this approach only a part of a website can be accessed by a foreign site, keeping the rest of the website inaccessible.

Another difference to note is that, in case of Flash\Silverlight the browser fetches the crossdomain.xml defined for the website and analyzes it. If a foreign site is not allowed to make cross domain calls then the browser restricts the call being made. In case of XHR 2, a request is sent first and then a check is performed to see whether the response header contains 'Access-Control-Allow-Origin' header. If this header allows the foreign site then it can read the response, otherwise the response is inaccessible to javascript.

Comments

Popular posts from this blog

How to use the APP_INITIALIZER token to hook into the Angular bootstrap process

I've been building applications using Angular as a framework of choice for more than a year and this post is not about another React vs Angular or the quirks of each framework. Honestly, I like Angular and every day I discover something new which makes development easier and makes me look like a guy who built something very complex in a matter of hours which would've taken a long time to put the correct architecture in place if I had chosen a different framework. The first thing that I learned in Angular is the use of the APP_INITIALIZER token.

On GraphQL and building an application using React Apollo

When I visualize building an application, I would think of using React and Redux on the front-end which talks to a set of RESTful services built with Node and Hapi (or Express). However, over a period of time, I've realized that this approach does not scale well when you add new features to the front-end. For example, consider a page that displays user information along with courses that a user has enrolled in. At a later point, you decide to add a section that displays popular book titles that one can view and purchase. If every entity is considered as a microservice then to get data from three different microservices would require three http  requests to be sent by the front-end app. The performance of the app would degrade with the increase in the number of http requests. I read about GraphQL and knew that it is an ideal way of building an app and I need not look forward to anything else. The GraphQL layer can be viewed as a facade which sits on top of your RESTful services o...

Using MobX to manage application state in a React application

I have been writing applications using React and Redux for quite some time now and thought of trying other state management solutions out there. It's not that I have faced any issues with Redux; however, I wanted to explore other approaches to state management. I recently came across MobX  and thought of giving it a try. The library uses the premise of  `Observables` to tie the application state with the view layer (React). It's also an implementation of the Flux pattern wherein it uses multiple stores to save the application state; each store referring to a particular entity. Redux, on the other hand, uses a single store with top-level state variables referring to various entities.