CrossSafe secure cross-domain scripting
September 10th, 2007Kris Zyp (rhymes with Skype!), founder of Xucia, introduces CrossSafe, a small Javascript library to enable secure cross-site scripting:
CrossSafe provides secure cross domain JSON requests and partially implements the JSONRequest specification (the get and cancel methods). XMLHttpRequest follows a same origin policy, and because of this, when developing mashups that involve retrieving data from servers other than the origin, developers have typically had to decide between a secure, but slow connection that through a proxy, or a direct, faster, but unsecure dynamic script tag retrieval of information. CrossSafe allows fast, direct, and secure connections to foreign servers from the browser. CrossSafe uses the JSONRequest API as it provides a subset of the JSONRequest features.
I’m really happy to see that Kris has not only come up with a viable cross-browser solution to the secure mashups problem, but has taken the initiative to implement it via the first-ever released implementation of the JSONRequest API proposed by Douglas Crockford nearly 18 months ago.
Not only that, but he has implemented it in such a way that should browser manufacturers ship a JSONRequest object, it will gracefully step out of the way:
CrossSafe does not implement the entire specification. However, developers can use the JSONRequest API in CrossSafe to make cross domain requests (which is one of the primary motivations for JSONRequest), and if and when browsers implement JSONRequest natively, CrossSafe will simply leave the JSONRequest object alone, and code will continue to operate with the benefits of a native implementation.
CrossSafe apparently uses a technique similiar to that described in the Subspace document I blogged about recently. I’m looking forward to inpecting the CrossSafe code since there was no code released with the research paper.
I met Kris in San Francisco in July at The Ajax Experience. I found him more than once in advanced conversations with people like Douglas Crockford and Brendan Eich – definitely a player to keep your eye on. You can see Kris speak in October at The Ajax Experience East.
Thanks, Kris, for stepping up to the plate. Great work.
Update:
Douglas Crockford points me to Collin Jackson’s JSONRequest Firefox Extension. Collin was also one of the authors of the Subspace document.
[…] I have long been a vocal advocate of the development of secure cross-domain methods in the browser. This is just the latest in a series of developments that make it apparent that the way forward is going to be built on existing browser technology without waiting for the browser vendors to bake in the necessary objects to support mashups. […]