Comments on: Cross-Domain Data with Rack and Rails

By: Stulseple

Stulseple — Thu, 02 Jul 2009 17:55:08 +0000

Your blog is so interesting! I have subscribed on rss and I will read it regullary/

By: Jon Crosby

Jon Crosby — Tue, 09 Jun 2009 18:34:47 +0000

Neil, one example might be displaying a widget on your blog that contains your latest 5 status updates on Twitter. Another might be a public transit site that embeds arrival and departure times for various services (trains, buses, etc.). These are cases where read-only data hosted on other sites (sites that use CSSHttpRequest) might be valuable.

By: NeilCauldwell

NeilCauldwell — Wed, 03 Jun 2009 07:56:59 +0000

Right, thanks Jon. I'm still a little fuzzy on this – your point about the 'second use case' (getting a message) has thrown me as I thought that your example was getting 'Hello Rails' – but this question could clear things up; what would you see as a good use case for CSSHttpRequest from UI perspective?

By: Jon Crosby

Jon Crosby — Tue, 02 Jun 2009 18:35:59 +0000

Neil, CSSHttpRequest does not cover those use cases. It provides read-only data so posting would need to happen independently. For the second use case (getting a message), it requires a new HTTP request.

By: NeilCauldwell

NeilCauldwell — Sun, 31 May 2009 07:05:37 +0000

Does this enable a client to paste a widget in to their views (an email collection form, perhaps), to post data to the widget provider (i.e. emails post to another domain), and for widget provider to return a message to be rendered in the DOM via CSS, without another http request or redirect?

By: Randy Reddig

Randy Reddig — Fri, 29 May 2009 15:47:12 +0000

Hi, I created CSSHttpRequest. It implements a guard against expression evaluation in IE by specifically making the stylesheet target media=print.

I suppose it’s possible, however unlikely, to construct a scenario where untrusted code might be evaluated. It would require the user to print a page at the instant a CHR transport iframe containing malicious CSS is present on the page.

By: Double Shot #463 « A Fresh Cup

Double Shot #463 « A Fresh Cup — Fri, 29 May 2009 10:49:01 +0000

[...] Cross-Domain Data with Rack and Rails – Encoding data into CSS rules to get around cross-domain security policies is certainly one of the nastier perversions of web standards I’ve seen lately. [...]

By: Jon Crosby

Jon Crosby — Fri, 29 May 2009 05:02:15 +0000

ActsAsFlinn, the difference between JSON-P and AJACSS is that the later is just read-only data.

By: Jon Crosby

Jon Crosby — Fri, 29 May 2009 04:58:04 +0000

Dr Nic, I should have explained more clearly in the original post. The encoding is done on the side of the data provider so that all clients can access it without needing to set up their own proxies.

By: ActsAsFlinn

ActsAsFlinn — Fri, 29 May 2009 01:22:23 +0000

I don't see the objection to JSON-P. I'm not going to trust a partner more if they are using AJACSS over JSON-P. If I don't trust partner I'm not going to embed their service data on my pages. There are old precedents for providing features/widgets/ads via external javascript includes.

Also, isn't IE6 susceptible to XSS attack via CSS?

One thing is certain browsers need to provide a cross-domain non-eval'd data source mechanism. Why wasn't this addressed in HTML5? Seems like a bigger issue than web sockets.