3

I Have a new project at work. It will require server to server and client to server messaging on a cross domain basis, just like the Facebook API. Where can I find good resources about this subject?

The main questions are:

  • Should we prefer using an iframe in the 'client' site or a script?
  • How do you create the handshake? both in client-to-server and server-to-server code?
  • How do I make this process secure? How do I validate the origin of the request?

I know this is a broad topic, but I'm not really familiar with it, and I'd like a push in the right direction.

CamelCamelCamel
  • 5,200
  • 8
  • 61
  • 93

2 Answers2

0

You can start by checking out Facebook cross domain (XD) source code that was written by Luke Sheppard

https://github.com/facebook/connect-js/blob/master/src/core/xd.js

For backward compatibility it uses flash objects as well as query string after pounds sign techniques for older browsers that don't support window.postMessage()

There is also an easyXDM library which is open source, it suppose to compensate for browser differences and provide simple api for both. (I'm in process of evaluating)

http://easyxdm.net

You are basically locked in to using IFrame to make cross domain request. The security is another huge subject, you can also inspect http requests of how stackoverflow does it's authentication with 3rd party domain, they use hashing of sessions and nonce tokens to make it secure over http.

good luck!

Sergey
  • 3,214
  • 5
  • 34
  • 47
0

JSONP works well for cross-domain requests from browsers. It does not require iframes, flash or other trickery.

The browser merely requests yet another JS script. Remember that Javascript source files can be fetched cross-domain.

You can use query string args as parameters to the api call.

Larry K
  • 47,808
  • 15
  • 87
  • 140