Suppose I manage two domains, www.api_domain.comand www.website_domain.com. www.api_domain.comoffers an API that requires authentication from the user, and then uses the session cookie to recognize the user who makes the requests. www.website_domain.comloads the script into its pages with www.api_domain.comand that the script wants to make calls with the API URLs www.api_domain.comwith the user's current cookie and use the results on the page from somehow www.website_domain.com.
For initial script loading or for any API URLs that do not require the user's cookie session, the simplest solution is to simply
Access-Control-Allow-Origin: http:
in response from www.api_domain.com. This seems to work in all browsers except IE, and although IE will not respect the Allow-Origin header for AJAX requests created using jQuery AJAX methods, there are libraries like xdr.js that do some magic behind the scenes of make jQuery, IE, and the Allow-Origin header play well together and behave like all other browsers (I don't know the details of what xdr.js does, but it works great for non-accounting requests as far as I can see).
The problem occurs when I want to click a URL on http://www.api_domain.comthat requires a user session cookie. When this issue is discussed in setting up an agnostic browser, two solutions are usually suggested:
- Use
Access-Control-Allow-Credentials: trueto reply from to send cookies even with cross-domain requests. - iframe
http://www.website_domain.com
http://www.api_domain.com,
, HTML5
http://www.api_domain.com
iframe.
1, , Javascript API http://www.api_domain.com , , API . iframe, AJAX- iframe . , iframe, URL- API. , , .
, 1 IE. Access-Control-Allow-Credentials: true URL- API, cookie URL-, IE 9 xdr.js. ( IE 8). . Access-Control-Allow-Origin Access-Control-Allow-Credentials www.api_domain.com, IE, cookie.
- , , Internet Explorer Access-Control-Allow-Credentials - , , IE?