Cross Origin Resource Sharing – AKA The Holy Grail

December 2, 2009

The other day I was chatting with a guy about the overly restrictive cross-domain request policy and how silly it is given the pervasiveness of cross-domain apps on the web today. Most devs get around this restriction with hacks like jsonp or nested iframes anyways. I told him that it’s high time we move past this archaic security measure and take web apps to the next level!

He just said, “Uh… do you want to upgrade your coffee to a venti for only 35 cents more?” Always the salesman that guy…

Cross Origin Resource Sharing

Recently I stumbled across this article on the excellent Mozilla Hacks blog. Cross Origin Resource Sharing (CORS). Sweet! Finally a true implementation of cross-site XMLHttpRequests.

The CORS standard works by adding new HTTP headers that allow servers to serve resources to permitted origin domains.

They’re getting everything right with this one:

  • it’s completely opt-in server-side, so browsers can implement CORS without opening up a bunch of security holes,
  • it uses the existing XMLHttpRequest object so current code can easily start working cross-domain,
  • and it’s totally transparent to the client-side developer — validation, pre-flighting, and access control is all handled within the XMLHttpRequest object without any additional code!

Apparently it’s been in the works at the W3C for a couple of years (formerly known as ‘Access Control‘). But only the most recent versions of Firefox and webkit based browsers are starting to support it. Of course Microsoft, in their infinite wisdom, decided it would be best to implement their own spec, XDomainRequest. Some things never change…

The Holy Grail

Not the knights who say Ni
Not the knights who say Ni

Is this a big deal? I’m going to go out on a limb here and say this is the holy grail of web development!

Why? For one, there isn’t a good, non flash-based way to implement cross-domain long-polling/comet. If there’s one thing that’s going to define the next generation of the web, it’s real-time apps. CORS enables efficient real-time “mashups” (hate that term) that don’t rely on iframe hacks or flash.

Psh… cross-domain, real-time? Nothing more than a niche application, right? Not so fast.

The web will soon (if not already) start its industrial revolution. A “building up” versus the “building out” if you will. New web development will progressively become based around existing sites, rather than the creation of new sites. A true cross-domain solution is vitally important to this.

No, no, I’m not saying that people will stop creating new sites — that will always happen. I’m saying startups will turn more and more to building apps targeted at sites users are already invested in instead of trying to get them to some new property.


  • The Disqus comment app on this blog.
  • The Meebo Bar
  • Those little ‘Feedback’ widgets you see all over sites now.

A new ecosystem is emerging: apps built with web technologies that run on other sites. But they’re mostly iframe based with all the restrictions that iframes have (no access to the DOM, slow, etc). With CORS, developers can almost seemlessly develop apps cross-domain with all the power of same-domain scripting, making it the most important development to come along since the XMLHttpRequest!

In future posts I’ll delve into this “industrial revolution” of the web, but for now… back to that grail.