Udostępnij za pośrednictwem


Completing Access Control support for XDomainRequest

Back in October, Sunava described changes that we made to the XDomainRequest (XDR) object in IE8 between the Beta 1 and Beta 2 releases. This object allows your AJAX web pages to request data from sites with a different hostname from the page itself, something that IE doesn’t allow for security reasons via XMLHttpRequest. Since Beta 1 we’ve been working with the W3C Web Application group on the Access Control framework and the changes we made in Beta 2 were to adopt the Simple Cross-Site Access Request.

I’m happy to announce that we have recently completed our support for the Access Control Check using the Access-Control-Allow-Origin header defined by the updated spec. This means that, in addition to the wildcard check (looking for *) that we supported in Beta 2, we also now support the origin URL check. This support will be part of the next public release of IE that Dean announced a few weeks ago.

I have recorded a short video that demonstrates how to use XDR and what this announcement means. It also shows how the Access Control framework is supported by other browsers allowing interoperable services to be called from your pages.

—Adrian Bateman, Program Manager, Internet Explorer

Comments

  • Anonymous
    January 14, 2009
    Sorry, we seem to be having some issues with the video.  We will have it fixed shortly.

  • Anonymous
    January 14, 2009
    If the video isn't working for you try refreshing the page and try it again.  This seems to fix it for most people.

  • Anonymous
    January 14, 2009
    The comment has been removed

  • Anonymous
    January 14, 2009
    fail to see what this has to do with but XDR but I'll bite... iirc a common way to use SVGs is directly embedding in the browser, which lets you take advantage of the fact that it's just another XML format.  Someone said (I think in the IE7 blog) when relating to IE's handling of mime-types involving XML that they weren't going to claim to handle XML until they actually could 100%.  I'd bet this is related. Sure, they could stick a plugin to handle external SVG images only (like you can get from adobe) but a major reason to use SVG is to make use of its ability to be manipulated via ajax stuff or you could just use silverlight ;)* *but SVG files are also produced by several other tools and apps, making it more desirable.  Sure, vector graphics (xaml) are also defined in xml, but tools don't produce that.  they do produce SVG files.

  • Anonymous
    January 14, 2009
    The comment has been removed

  • Anonymous
    January 14, 2009
    @Gyrobo: As discussed previously on the IEBlog, we've submitted the EOT format for standardization.  You do not need an Access-Control-Allow-Origin header to use EOT files. http://blogs.msdn.com/ie/archive/2008/07/21/font-embedding-on-the-web.aspx The existence of Access Control support for XDomainRequest is in no way related to Internet Explorer's font-embedding support.

  • Anonymous
    January 15, 2009
    1st rule of putting up a video on the web.

  • If you are showing how to edit code make sure that you're video size is large enough that you can see the characters typed in the example.
  • If nothing else, just crop the window to the editor portion only (we don't need to see toolbars, sidebars, the Start button/taskbar etc. (Bonus points if you turn ClearType™ off before recording so that the rendering output doesn't look fuzzy)
  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    January 15, 2009
    Durante la presentazione che feci ai MS Days 08 su IE8, ho brevemente accennato ad alcune API che possono

  • Anonymous
    January 15, 2009
    The presenter is very clear - I hope he will do more videos like this in future!

  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    January 15, 2009
    Clear and interesting presentation. Will XMLHttpRequest with cross-Site be supported (later) in IE, so that we don't have to provide two versions of the same code?

  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    January 15, 2009
    @Adrian Bateman: Thanks for your fast and clear answer. So we'll have to deal with this double syntax for a while, but I guess libraries such a JQuery will soon take care of that...

  • Anonymous
    January 18, 2009
    Thanks very much for the presentation. It's clear to me!

  • Anonymous
    January 20, 2009
    thanks the video was very clear and helpfull. how will we support backward compatibility for IE7 and IE6 as people will take time to migration to IE8 and what about other browser like safari and Opera?

  • Anonymous
    January 21, 2009
    The comment has been removed

  • Anonymous
    January 29, 2009
    This is one of my favorite times in the product cycle. IE8 is platform complete and as we get closer

  • Anonymous
    April 02, 2009
    You’ve probably already seen how Internet Explorer 8 Accelerators allow you to search very quickly the

  • Anonymous
    April 03, 2009
    You’ve probably already seen how Internet Explorer 8 Accelerators allow you to perform searches very

  • Anonymous
    April 09, 2009
        Internet Explorer 8을  계획했었을 때, 보안팀은 현실에 일어나는 일반적인 공격과 공격자가 무엇을 다음 주의대상으로 하는지 경향을 분석했습니다.