Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

HTML5 XmlHttpRequest 2 vs Flash\Silverlight approach to cross-origin requests

DZone's Guide to

HTML5 XmlHttpRequest 2 vs Flash\Silverlight approach to cross-origin requests

· Web Dev Zone ·
Free Resource

Jumpstart your Angular applications with Indigo.Design, a unified platform for visual design, UX prototyping, code generation, and app development.

A few days back I had posted on XmlHttpRequest Level 2, describing how cross-origin requests can be achieved. A few folks on my team asked me how different it is from Flash\Silverlight's approach to achieve cross domain request\response with crossdomain.xml. The approach that these plugins take to send a request and receive a response is completely different from that of XmlHttpRequest's approach.

In case of Flash\Silverlight a policy file crossdomain.xml is created for the site. This file would contain a list of all sites that can make a cross domain request to this site. For example, if http://yoursite.com lists  http://friendssite.com in crossdomain.xml file, then http://friendssite.com is allowed to access all the resources of http://yoursite.com. Here the access control mode is set to per site. XHR 2 on the other hand, follows a different approach altogether. It works on the per page access control model. In this case, every page has to respond with a 'Access-Control-Allow-Origin' header to the foreign site. With this approach only a part of a website can be accessed by a foreign site, keeping the rest of the website inaccessible.

Another difference to note is that, in case of Flash\Silverlight the browser fetches the crossdomain.xml defined for the website and analyzes it. If a foreign site is not allowed to make cross domain calls then the browser restricts the call being made. In case of XHR 2, a request is sent first and then a check is performed to see whether the response header contains 'Access-Control-Allow-Origin' header. If this header allows the foreign site then it can read the response, otherwise the response is inaccessible to javascript.

Take a look at an Indigo.Design sample application to learn more about how apps are created with design to code software.

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}