PART III
Chapter 10: Web Services and Beyond 501
This is somewhat similar to crossdomain.xml but a bit more granular since it can be used
on a file-by-file basis. For example, we might issue a header in our response like:
Content-Access-Control: allow <*>
This says the resource can be attached by anyone from any domain. To be a bit less
permissive, we might limit it to requests from a particular set of domains with a response
like so:
Content-Access-Control: allow <ajaxref.com>
or even limit it to requests from a particular set of domains with exclusions:
Content-Access-Control: allow <ajaxref.com> <*.ajaxref.com> exclude
<unsecure.ajaxref.com>
If the content items are generated, it is fairly easy to set these kinds of rules, but if we
are serving static files it might be a bit difficult to get them in place. You would likely have
to put the remotely accessible files in a particular directory and then set rules on your Web
server, for example using Apache’s mod_headers. However, the current specification does
provide one instance where that is not the case, serving XML files. In this case, a processing
directive can also be used to specify the same kind of rule.
<?xml version='1.0' encoding='UTF-8'?>
<?access-control allow="*"?>
<packet>
<message id="message1">To boldly go where no XHR has gone before...</message>
</packet>
FIGURE 10-4 Flash going where many XHR implementations fear to tread!