A solution to cross-domain data access (scripting) problem

As Web 2.0 popularity increases and mash-up applications become more and more popular, cross-domain data access  issues on web applications and platform becomes more and more interesting to solve.  The problem that exists today with web applications is that any script that you add to a web page can only call into an endpoint hosted on the same domain as the page is served from.  So if you want to build a gadget that is served from, lets say live.com, the browser will prevent you from calling into a web service end point on , lets say, mySite.com.  This is a security feature that is put in the browsers a long time and is valid but there are new valid scenarios, as I mentioned (mash-ups), that you do want to do this in a secure way. The same problem exists in Microsoft CRM V3.0.  If you want to add some Jscript to a CRM form to call a web service hosted on a different domain other than the one that the CRM page is being served from, your browser will prevent you from making the call.  Of course there are (very bad) workarounds like lowering your IE security level which is a bad bad thing to do.  A good alternative is to create a proxy on the server that is serving the web page to tunnel through the calls to other sites on the server side.  Live.com gadgets use such a model.

One interesting approach that I recently learned about is what Danny Thorpe, my colleague at Windows Live Developer Platform, have suggested in the recent issue of the Microsoft Architecture journal.   Danny does a good job describing the problem and provides some suggestions that allows cross-domain data access in a secure way. I should also mention that this issue of the architecture journal focuses on web architectures and there are a number of other cool articles in there that you may find interesting.

Download the latest issue of the journal here.