IE to adopt W3C Access Control for Cross-Site Requests
10 July 2008Recently Sunava Dutta of the Internet Explorer team announced that they will be adopting the W3C Access Control for Cross-Site Requests :
As promised, I’ve discussed the proposal we discussed at the F2F with my extended team and we’re excited about making the change to integrate XDomainRequest with the public scenarios specified by Access Control. This means IE8 will ship the updated section of Access Control that enables public data aggregation (no creds on wildcard) while setting us up on a trajectory to support more in the future (post IE8) using the API flag in an XDR level 2.
For IE8 beta 1, Microsoft had created a divergent mechanism in their new XDomainRequest API for making cross-site requests, greatly complicating the procedure for developers to enable cross-site access to resources. With this recent announcement, this has distinctly changed, and the future looks much better for a common approach to cross-site data access. I believe this convergence is excellent news for the web development community, as this means we can expect a standard mechanism for making cross-site requests across new browsers. Firefox is planning on implementing the W3C specification in their XMLHttpRequest API in FF3.1, Safari has an implementation in their nightlies, and Opera will certainly have it available as well (since the editor works for Opera). And now, according to Sunava, we can expect to see the cross-site access for public resources in IE8 very soon:
understandably, we’d like to get this goodness out to devs as early as our Beta 2.
The changes to expect in IE8’s XDomainRequest will include:
1) Retirement of XDomainRequest:1 on client side to Access-Control-Origin:<origin>
2) Understanding server response of Access-Control:* in place of XDomainRequestAllowed:1, which will be retired as well.
In future versions of IE, we can expect the full cross-site access capabilities prescribed by the W3C’s specification:
When the API switch in a post IE8 version of XDR is flipped to ‘private’ or its equivalent, we will allow headers to be set (including whitelist) and creds sent cross domain among other features of AC pending the remaining few issues are locked down.
There has been a lot of great work on the Cross-Site for Access Control proposal recently; improving the safety of opting into cross-site access for common usage, simplifying syntax, and removing extraneous aspects like XML processing instructions. Congratulations to the W3C WebApps group for their work, and thanks to Sunava and the IE team for their convergence.
2 Responses to “IE to adopt W3C Access Control for Cross-Site Requests”
July 10th, 2008 at 8:06 pm
Does this mean people will not use JSON remote scripting or IFRAME hacks anymore? Will this make JSON on the client safer as a data interchange or will people now prefer XML>
July 10th, 2008 at 11:52 pm
Yes, this could be used in lieu of JSONP/remote scripting. It can be used just as easily with JSON and XML; it is intended to be used for adding cross-site capabilities to XHR, so it will have all the capabilities of XHR (although IE will probably do it with their XDR API).