In security circles you're branded as pure evil if you talk about circumventing the Server of Origin Policy that helps protect JavaScript interaction from being hijacked by hax0rs. Frankly, that's with good reason - in the vast majority of cases.
But still, when I have something like blog.angrypets.com and want to be able to let it tie in to something like statusupdates.angrypets.com (via the XmlHttpRequest Object) it would sure be nice to just have my JS directly load/connect to statusupdates.angrypets.com. (As a case in point, blog.angrypets.com is hosted as a TypePad blog - so it's not like I can wire up a server-side proxy of an WS goodness that might be exposed on statusupdates.angrypets.com. Not to mention that just 'blindly' proffering proxies in that manner can also get you in to a HEAP of trouble when it comes to security.)
What we need is a SAFE way to trust external domains for direct linking. I think a killer way to do it would be to put a servers.trusted file right in the root of your site (i.e. on par with robots.txt and favicon.ico). This servers.trusted file would simply provide a list of trusted endpoints that could be deemed trusted by the site owner in terms of 'circumventing' the domain of origin policy. That way www.angrypets.com could be trusted to work with just plain ol' angrypets.com or scripts.angrypets.com, and so on. It could also be trusted to interact with other sites that I own, like common.overachiver.net, and so on. Likewise, if you trusted a service proffered by Google or MSN, you could 'link' there as well (if that floated your boat).
And as for any worries that hackers might somehow 'poison' your sites by overwriting this file: if they're able to modify a file at the root of your site then your last concern is the possibility of XSS via XHR injection.
Of course, to implement this 'change' would take a miracle - as all browser vendors out there would need to implement a standard way of permitting their JS runtimes to check for the existence of a .trusted file, parse it, and then 'trust' the specified endpoints. So, it's sadly likely to never happen.
http://www.mozilla.org/projects/security/components/same-origin.html
you can change the suffix to access your own subdomains.
Hope that helps a bit.
Posted by: volte | July 18, 2007 at 11:26 AM