How To Use XmlHttpRequest Across Sub-Domains

As you probably know XmlHttpRequest only works if the request is made to the same web server from which the page was fetched (same origin). Here is a way to communicate across sub-domains using XmlHttpRequest without resorting to reverse proxying.

Abe (@ fettig.net) found a solution using iframe and an exception to the “same origin” rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. Thus scripts running in either frame will now be allowed to talk to each other.

This method has a limitation as you can only make XmlHttpRequest calls up to the point where you set document.domain. Once you do that, you gain the ability to communicate with the parent frame, but you lose the ability to make future XmlHttpRequest calls.

Abe tried switching document.domain to make subsequent calls but that failed in Opera and Mozilla browsers. So he first tries switching document.domain in his code which works for Internet Explorer. If that fails then he uses a bridge frame to overcome the restrictions - document.location.replace(”test4-bridge.html”);
This bridge frame hack has been tested only on Mozilla browsers. So in essence his solution works for Internet Explorer and Mozilla groups of browsers.

Read about his adventure here.

I think such solutions, though ingenuous, are inherently fragile as they exploit a security loophole in browser implementation which is likely to be plugged in future.