Completing Access Control support for XDomainRequest


Back in October, Sunava described changes that we made to the XDomainRequest (XDR) object in IE8 between the Beta 1 and Beta 2 releases. This object allows your AJAX web pages to request data from sites with a different hostname from the page itself, something that IE doesn’t allow for security reasons via XMLHttpRequest. Since Beta 1 we’ve been working with the W3C Web Application group on the Access Control framework and the changes we made in Beta 2 were to adopt the Simple Cross-Site Access Request.

I’m happy to announce that we have recently completed our support for the Access Control Check using the Access-Control-Allow-Origin header defined by the updated spec. This means that, in addition to the wildcard check (looking for *) that we supported in Beta 2, we also now support the origin URL check. This support will be part of the next public release of IE that Dean announced a few weeks ago.

I have recorded a short video that demonstrates how to use XDR and what this announcement means. It also shows how the Access Control framework is supported by other browsers allowing interoperable services to be called from your pages.

—Adrian Bateman, Program Manager, Internet Explorer

Comments (21)

  1. ieblog says:

    Sorry, we seem to be having some issues with the video.  We will have it fixed shortly.

  2. ieblog says:

    If the video isn’t working for you try refreshing the page and try it again.  This seems to fix it for most people.

  3. SVG says:

    http://www.msnbc.msn.com/id/26646919/#element(content/4/3/10)

    "Tim Berners-Lee, the British-born inventor of the World Wide Web"

    "Berners-Lee, director of the standard-setting World Wide Web Consortium, or W3C, said in an interview this week that Internet Explorer is falling behind other browsers in the way it handles an important graphics feature for Web pages."

    "A Web image that is encoded as a scalable vector graphic, or SVG, can be resized to fit the computer screen or zoomed into without becoming blocky and losing sharpness, as happens with images encoded as the more traditional "bitmaps." Maps are one popular use of SVG."

    "If you look around at browsers, you’ll find that most of them support scalable vector graphics," Berners-Lee said. "I’ll let you figure out which one has been slow in supporting SVG."

  4. frymaster says:

    fail to see what this has to do with but XDR but I’ll bite… iirc a common way to use SVGs is directly embedding in the browser, which lets you take advantage of the fact that it’s just another XML format.  Someone said (I think in the IE7 blog) when relating to IE’s handling of mime-types involving XML that they weren’t going to claim to handle XML until they actually could 100%.  I’d bet this is related.

    Sure, they could stick a plugin to handle external SVG images only (like you can get from adobe) but a major reason to use SVG is to make use of its ability to be manipulated via ajax stuff

    or you could just use silverlight ;)*

    *but SVG files are also produced by several other tools and apps, making it more desirable.  Sure, vector graphics (xaml) are also defined in xml, but tools don’t produce that.  they _do_ produce SVG files.

  5. Gyrobo says:

    Since you’re implementing Access Control headers, does that mean in future versions you will have AC headers in place for truetype/opentype fonts, like Mozilla does?

  6. EricLaw [MSFT] says:

    @Gyrobo: As discussed previously on the IEBlog, we’ve submitted the EOT format for standardization.  You do not need an Access-Control-Allow-Origin header to use EOT files.

    http://blogs.msdn.com/ie/archive/2008/07/21/font-embedding-on-the-web.aspx

    The existence of Access Control support for XDomainRequest is in no way related to Internet Explorer’s font-embedding support.

  7. Jim says:

    1st rule of putting up a video on the web.

    - If you are showing how to edit code make sure that you’re video size is large enough that you can see the characters typed in the example.

    - If nothing else, just crop the window to the editor portion only (we don’t need to see toolbars, sidebars, the Start button/taskbar etc.

    (Bonus points if you turn ClearType™ off before recording so that the rendering output doesn’t look fuzzy)

  8. Jim says:

    Ugh! The linked video is the right size! why the f@#$ is the embedded one not rendered the correct size?

    Man I hate the lack of skills with posting on this blog.  Seriously – if you can’t hack it, get someone else to do the post.

  9. Durante la presentazione che feci ai MS Days 08 su IE8, ho brevemente accennato ad alcune API che possono

  10. Thomas Tallyce says:

    The presenter is very clear – I hope he will do more videos like this in future!

  11. YouTube says:

    nice video…you can’t read ****

    and the soapbox player sucks, too

    sorry to be honest.

  12. Alexandre says:

    Clear and interesting presentation.

    Will XMLHttpRequest with cross-Site be supported (later) in IE, so that we don’t have to provide two versions of the same code?

  13. Adrian Bateman [MSFT] says:

    @Alexandre: We think that XDomainRequest provides a secure approach to cross-site requests by separating this functionality. XDomainRequest offers a more restrictive programming model than XMLHttpRequest (XHR) and requires developers to be explicit about when they wish to make a request cross-site.

    We don’t currently have plans to implement cross-site support in XMLHttpRequest.

  14. Alexandre says:

    @Adrian Bateman: Thanks for your fast and clear answer. So we’ll have to deal with this double syntax for a while, but I guess libraries such a JQuery will soon take care of that…

  15. parijs trein says:

    Thanks very much for the presentation. It’s clear to me!

  16. kumaran says:

    thanks the video was very clear and helpfull.

    how will we support backward compatibility for IE7 and IE6 as people will take time to migration to IE8 and what about other browser like safari and Opera?

  17. Gyrobo says:

    @EricLaw:

    Thank you for your prompt response. I apologize for not responding in as timely a manner, but I was chained to a radiator for a week by a sadistic puppet.

    I don’t want to turn your post on XDomainRequest into a discussion on font embedding, so I won’t.

    However, if you want another discussion on font embedding, I’ll be here.

  18. IEBlog says:

    This is one of my favorite times in the product cycle. IE8 is platform complete and as we get closer

  19. You’ve probably already seen how Internet Explorer 8 Accelerators allow you to search very quickly the

  20. You’ve probably already seen how Internet Explorer 8 Accelerators allow you to perform searches very

  21.     Internet Explorer 8을  계획했었을 때, 보안팀은 현실에 일어나는 일반적인 공격과 공격자가 무엇을 다음 주의대상으로 하는지 경향을 분석했습니다.