Secure Cross-Domain Communication: The Architecture Journal

  • Article

The June issue (Journal 12) of The Architecture Journal focuses on web architecture.  I was delighted to be invited to contribute, and wrote "Secure Cross-Domain Communication in the Browser" for this issue.  In the article I describe a somewhat bizarre technique we use in the Windows Live Contacts web control and Windows Live Spaces web control to move data from HTML pages running on *.live.com to and from third party web sites.  This is how the contacts control returns user-selected contact data to the page hosting the control, a web site that is not a Microsoft site.  

The print edition of Journal 12 is out already and was handed out at TechEd in Orlando earlier this month.  You can request a print copy by registering on the Journal's web site, or you can just grab the PDF and read it on-screen.  Journal 12 will rotate into the headlines on the Journal's homepage soon.

A few posts ago I mentioned I could finally reveal what I had been working on at Google.  Now I can also tell you in exquisite detail what I've been working on here at Microsoft for the past year and foreseeable future:  cross-domain browser communication techniques.  Coaxing stubborn little bits to migrate through impenetrable browser barriers. 

"Secure Cross-Domain Communication in the Browser" is a high-level walk-through of the iframe URL technique of passing information between domain contexts in the browser, it's limitations and weaknesses, and the approach we've taken to build a channel communications library to fortify against those weaknesses and limitations.

Over the next few weeks I will be posting here on Windows Live Quantum Mechanics a series of articles digging into the nitty gritty of cross-domain communication, why it has been taboo in the browser, why it's time to change that perception, and techniques and code you can use today to achieve it - without compromising security or server scalability. 

Cross domain communication would be much easier with the browser's help and shepherding, but with a little bit of effort we can actually do quite a bit today - safely - in spite of the browser's objections.