Two Methods for Handling Cross-Domain Ajax Calls

RELATED: "How Secure is Ajax?" and "Ajax Features in ASP.NET MVC."

For security reasons, browsers tend to unilaterally block any calls being made to URLs outside the domain that served the current page. An Ajax page served from, say, dino.com, isn't allowed to place any Ajax calls to URLs that are located on a different domain. It should be noted that there are no technical reasons that prevent browsers from opening a socket to an endpoint and sending an HTTP request. If that doesn't happen, it's because browsers simply don't want to make cross-domain calls. To confirm this fact, consider that as a user you can enable cross-domain access at any time. All you need to do is open the Options dialog box of a browser, select the Security tab, and change the settings. Figure 1 shows the dialog box you use with Internet Explorer (IE) to enable cross-domain access.

Figure 1: Dialog box for enabling cross-domain data access in Internet Explorer

As a developer, you can't just assume that end users will set their browsers to allow cross-domain calls. Another solution must be found and applied. Indeed, a few options exist to solve the cross-domain access puzzle. In this article, I'll first briefly touch on the current de facto solution, "JSON with padding" (JSONP), then focus on a more futuristic solution that I hope will be available once it's ratified by the World Wide Web Consortium (W3C).

JSONP: The Current Standard for Cross-Domain Access

Although browsers seem reluctant to make cross-domain Ajax calls, they blissfully place cross-domain requests to scripts, images, and HTML pages. In fact, tags such as