PART III
Chapter 10: Web Services and Beyond 501
This is somewhat similar to crossdomain.xml but a bit more granular since it can be used
on a file-by-file basis. For example, we might issue a header in our response like:Content-Access-Control: allow <*>This says the resource can be attached by anyone from any domain. To be a bit less
permissive, we might limit it to requests from a particular set of domains with a response
like so:Content-Access-Control: allow <ajaxref.com>or even limit it to requests from a particular set of domains with exclusions:Content-Access-Control: allow <ajaxref.com> <*.ajaxref.com> exclude
<unsecure.ajaxref.com>If the content items are generated, it is fairly easy to set these kinds of rules, but if we
are serving static files it might be a bit difficult to get them in place. You would likely have
to put the remotely accessible files in a particular directory and then set rules on your Web
server, for example using Apache’s mod_headers. However, the current specification does
provide one instance where that is not the case, serving XML files. In this case, a processing
directive can also be used to specify the same kind of rule.<?xml version='1.0' encoding='UTF-8'?>
<?access-control allow="*"?>
<packet>
<message id="message1">To boldly go where no XHR has gone before...</message>
</packet>FIGURE 10-4 Flash going where many XHR implementations fear to tread!