I would like to write a Javascript library to wrap an API I plan on using in my application.
Now because of XSS restrictions I cannot simply have my script call out to the server hosting the API.
What are the options to get around this?
My initial research has turned up:
- proxy: have the client library make calls back to my webapp's server which acts as a proxy to the actual API server
- hidden flash component: have the client-server communication flow through a hidden (.swf) flash component (this, along with HTML5's postMessage is what i believe Facebook is using in their new javascript API)
- jsonp: have the server wrap the generated json string so that it resembles a function call. then, to make the API call, generate a script tag with the URL of the API call as its source and add it to the DOM.
I've successfully implemented a proof of concept using #3 but before I move forward I wanted to see if I was missing any alternatives.
Also, if anyone can shed any light on the postMessage solution Facebook is using, that would also be helpful.