WingNews GitHub [2]

top | item 6794093

Show HN: Include this JS library to enable cross-origin requests

20 points| odedgolan | 12 years ago |github.com | reply

30 comments

[+] untog|12 years ago|reply

Overwhelmingly terrible idea. Routing your web site traffic through an entirely unknown third party server. Overwrite the global XMLHttpRequest object.

Please tell me this is a joke to show off terrible security practise?

[+] odedgolan|12 years ago|reply

Regrading overwriting XMLHttpRequest, if it works - it works, and if it breaks it can be improved, this is why it is open source. It does not reroute your site traffic just your cross-origin site traffic, which practically does not exist without this library. Yes it can be used to do bad thing but also opens up the opportunity for mashups, external content integration, api calls and more.

[+] Joe8Bit|12 years ago|reply

Routing all your x-domain requests through an unknown third part via vanilla HTTP? What could possibly go wrong?

[+] odedgolan|12 years ago|reply

It's just your cross-origin traffic, which is not possible without this library, everything else will behave exactly the same.

[+] drderidder|12 years ago|reply

Please don't use this. JSONP and CORS are the accepted methods for cross origin requests.

[+] odedgolan|12 years ago|reply

You can only use JSOP and CROS with sites you have control over or are designed to behave and support external requests. It makes it very very limited!

[+] buzzedword|12 years ago|reply

How is this remotely trending? Yes, HN, let's vote a MITM attack to the frontpage. This is a terrible idea.

[+] necenzurat|12 years ago|reply

[deleted]

[+] odedgolan|12 years ago|reply

Yes it allows you to do back stuff. But it also allows great things as mashups, retrieving external content easily etc.

[+] Scriptor|12 years ago|reply

This is just a proxy. If developers wanted to go this route they would set up the proxy on their own server instead of routing it through a 3rd party.

[+] odedgolan|12 years ago|reply

It's possible, we just make it easier. This library also make it seamless (you can still use jQuery.ajax). They can use this library and just change the proxy url.

[+] Rami114|12 years ago|reply

If you need to ask why it is bad to route traffic through an untrusted third party over HTTP, for the love of god stop building web applications. This is not the right tool for the problem it's trying to solve.

[+] odedgolan|12 years ago|reply

"untrusted" is the issue here, and trust is built over time. In the meanwhile you can use the library and implement the server side.

[+] silasb|12 years ago|reply

I would let the users know that requests get routed through a server you control.

[+] odedgolan|12 years ago|reply

It only goes through our servers if it's cross-origin. Normal http same-origin requests are left intact (and you can see it in the code). It's stated on the README but perhaps it should be more apparent.

[+] jscheel|12 years ago|reply

I'll probably never use this library for anything, but I've submitted a pull request that takes out their 3rd party proxy and merely suggests it in the error that is thrown if you don't define your own. https://github.com/TOMODOcom/TOMODOkorz/pull/1

[+] Couto|12 years ago|reply

Seems a cool idea to use with mockups and prototypes, but an awful idea to use in a serious product.

[+] odedgolan|12 years ago|reply

Why? remember your product will function exactly the same. It just makes more thing possible.

[+] captn3m0|12 years ago|reply

If you trust Yahoo!, you can try proxying requests via Yahoo Pipes for Cross-Origin support. Not that I recommend it, though.

[1]: https://gist.github.com/psychemedia/316660

[+] necenzurat|12 years ago|reply

[deleted]