How To Cross Domain Javascript

This post details how to perform cross domain Javascript calls without proxy servers, Flash, and fragments. This technique was employed in the currently defunct ScribbleHere chat service in conjunction with the Msgpad chat engine. The Problem From a naive perspective, it is not possible for a web page from domain D, to access a URL from another domain E due to security considerations. Several workarounds have been developed, namely the remote script technique. All existing workarounds suffer from significant limitations, such as the unhampered ability to read and write between two different domains. The Short Say domain D wants to connect to domain E. In a nutshell, the trick is to use DNS to point a sub-domain of D, D_s, to E's server. In doing so, D_s takes on the characteristics of E, while also being accessible to D. The Long To minimize security problems, a browser on domain D, is not allowed to talk to a browser on domain E. However, it is possible for domains to communicate with sub-domains using the document.domain technique in Firefox, IE, Safari, and Konqueror. Opera has implemented the cross-document messaging draft standard that allows communication between different domains, not just sub-domains. For simplicity sake, Opera and the draft standard will be ignored from here on. Using the document domain technique it is possible to communicate from domain D, to a sub-domain, D_s, by embedding a D_s iframe in D. The problem is then to communicate between D_s and E. This can be solved by modifying the DNS of D_s to point to E's server. The result of this DNS modification is that D_s essentially becomes E, but remains accessible by D. Lastly, the server hosting E must be configured to accept requests for D_s. Here is a diagram illustrating the relationship of D, D_s, and E from the hostname perspective after the DNS modification has been made:
Cross Domain Ajax - Hosts Perspective

This is a diagram illustrating D, D_s, and E from an IP perspective:
Cross Domain Ajax - IP Perspective

It should be noted that for this technique to work, the owner of D, and E are required to co-operate. MetaSocial + IMIV: A Fictional Example The year is 2007 and social networks are all the rage. Given the vast array of social networks now available, TeamValley, a cutting edge web2.0 technology company from "the valley", decide the time is right to implement their latest innovation code named MetaSocial - "the social network for people who participate in social networks". After many sleepless nights and an initial funding of $15 million, the team at MetaSocial decide to put away World of Warcraft and get down to business. MetaSocial determine that in order to rule the social networking scene, they need to allow other social networks to integrate with their meta social network via some sort of read/write API. MetaSocial allows subscribers of their service to specify a host that MetaSocial will integrate with. This hostname is mapped to their web server, and the appropriate reverse proxy routings are established within the MetaSocial network. George from GA runs a mediocre social network called DoctorsOnTv (DOT) - a social network for actors that have played doctor roles on TV. While George manages to tap a suprising number of subscribers, it is sadly not enough to turn profit. "I knew I should have gone with DetectivesOnTv", he regrets. George hears about MetaSocial, and out of despair decides integration is worth a last ditch effort in the hope of boosting numbers. On the MetaSocial signup page, George specifies a sub-domain that MetaSocial can expect George's social network to connect through - metasocial.doctorsontv.net (the .com was domain parked). One day after logging on to DOT, Izzy, an intern and member of DOT, reads a new message in her inbox: "Izzy, Clooney has friended you at the social network TvSeriesTurnedMovieStars. Click _here_ to confirm." Izzy clicks "_here_". Rather than the page reload she expected, an image is automatically updated.. and then faded! - "probably that new fangled AJAX technology", she reasons. The curious type, she opens FireBug in FireFox to discover the line: POST http://metasocial.doctorsontv.net/users/confirm_friend/izzy?network=TvSeriesTurnedMovieStars?id=a3f2s (3008ms) She notices that the current page she is viewing, http://www.doctorsontv.net/users/inbox/izzy , is on a different domain to the one the POST request was made too. Digging in to the HTML via FireBug she notices an iframe with a src of http://metasocial.doctorsontv.net/api which she concludes is a gateway through to some sort of social network hub called MetaSocial. Conclusion It is possible to employ read/write cross domain calls using only HTML, Javascript, and modifications to DNS and web host mappings. Importantly, no modifications are required by browsers and security is not compromised. One limitation of this system is that DNS modifications can take up to days to propagate, and so should probably be made with some certainty. This technique is also limited in that a certain level of authority and technical understanding is required. For example, D must have the know how and authority to modify their DNS records, and E must have authority and competence to map D_s to E. Many hosting companies provide enhanced security to avoid illegal access to a domain; dot5hosting is a good example in this context. The comptia security certification exam N10-003 is of relative importance as it provides knowledge of communication security and general security concepts. The process to buy domain is more complex nowadays. With many new companies emerging and offering various advanced services, selection of a right one is a big issue. However, one should focus on the basic requirements first like dedicated server, email hosting, security etc and then look for advance services like free software applications, forums creation, free templates of web site design which can be edited by computer software to simplify the selection process.