Search code examples
javascriptajaxwidgetsame-origin-policy

getXDM or JSONP which one to use to circumvent same origin policy

I am creating a JavaScript widget which gets around 4-6KB of data from a WCF service hosted by me and uses canvas tag(HTML5) to draw some charts. I want anybody to be able to embed this widget in their websites by copy pasting some html and JavaScript shared by me.

Now the problem : Same origin policy, it doesn’t allow any XHR request from the host domain of the widget to the WCF service on my domain, which means anyone using the widget cannot get the data from my WCF service(every request will get around 4-6kb of data in response).

I have gone through the previous discussions on this site and found the following possible solutions:

  1. JSONP (can be used with my WCF service)
  2. Hidden Iframes (not possible as i do not have control over both the domains)
  3. window.postMessage (not sure if JavaScript libraries can make it work in old browsers i.e. IE6)
  4. Cross-Origin Resource Sharing (CORS) (not possible as i want to be able to sport old browsers i.e. IE6)
  5. The Reverse Proxy method (not possible as i do not have control over server of the users website)
  6. easyXDM (can be a possible solution but need to explore how to use it with my WCF service)

Firstly I would like to confirm with you guys that the brief analysis done by me of the different approaches possible is correct and i am not missing out on any great solution that anyone is using and if my analysis is correct i would like to discuss the pros and cons of these approaches.

Secondly I know that Facebook, Twitter, Google all of them share their apps (exactly the way I want to share) and have overcome this problem in order to do so, Can anybody point me in the direction where I could find more about how they have solved this problem.

Solution

  • It's something you need to judge based on

    • How large it's acceptable for your widget to be, including libraries.
    • How frequently you'll need to poll the service, or whether it's a one time event.
    • How important full browser compatibility is to you.

    For the specific use case you describe, I would recommend JSONP. It would keep the widget very small, is a good cross browser solution and can handle the modest data requirements.

    Google etc use "comet" type solutions, in which a socket like stream is persisted between client and server. This shouldn't be used for widgets as it would hog browser resources.