views:

25

answers:

0

I would like to write a Javascript library to wrap an API I plan on using in my application.

Now because of XSS restrictions I cannot simply have my script call out to the server hosting the API.

What are the options to get around this?

My initial research has turned up:

  1. proxy: have the client library make calls back to my webapp's server which acts as a proxy to the actual API server
  2. hidden flash component: have the client-server communication flow through a hidden (.swf) flash component (this, along with HTML5's postMessage is what i believe Facebook is using in their new javascript API)
  3. jsonp: have the server wrap the generated json string so that it resembles a function call. then, to make the API call, generate a script tag with the URL of the API call as its source and add it to the DOM.

I've successfully implemented a proof of concept using #3 but before I move forward I wanted to see if I was missing any alternatives.

Also, if anyone can shed any light on the postMessage solution Facebook is using, that would also be helpful.