The release of Firefox 3.5 included several new features for developers.
One of the most interesting new features is the support for cross-domain HTTP requests made with XMLHttpRequest objects (see here for details) or, by using Mozilla’s terminology, cross-origin requests.
It is well known that browsers enforce restrictions on the scripts that they execute, and one such restriction is the same-origin policy, which prevents a document or script loaded from one origin from getting or setting properties of a document from another origin.
Here “origin” means the scheme, host and port of the URL, so for example a script downloaded from http://foo.com could not make a request – via XMLHttpRequest – to http://bar.com (different host) or even http://foo.com:8080 (different port).
This is troublesome, especially for certain kind of applications heavily based on JavaScript like Cometd applications, that often need to interact with different domains.
This same-origin restriction is so troublesome, that bright people figured out different ways of working around it.
For example, in Cometd applications, the JavaScript client can use a transport that allows the Bayeux communication with a server on a different origin; such transport is based on JSONP, a technique that uses the injection of script elements in the DOM to connect to a server on a different domain.
It works, but way less reliably than the standard, same-origin, transport that it is used by default in Cometd applications.
Fortunately this troublesome restriction, which dates back to Netscape Navigator 2.0, has been addressed by a new W3C specification (the Cross-Origin Resource Sharing Specification), that however requires changes in how a client (such as the XMLHttpRequest object) and a server interact.
Firefox 3.5 already implements this specification (and I guess we can expect most if not all other browsers to do the same in short time), so the client part is taken care of.
For the server side, Jetty 7.0.0.RC2 now ships a servlet filter that implements the cross-origin specification allowing, for example, Cometd applications running on Firefox 3.5 to perform Bayeux communication with a server on a different origin using XMLHttpRequest instead of using the JSONP workaround.
Needless to say, this makes the Cometd application more robust and reliable, and it is totally transparent for the application: just use a compliant browser, the latest Cometd JavaScript client and configure Jetty with the cross-origin filter. That’s it.
You can find detailed information regarding Jetty’s cross-origin filter here, and regarding Cometd configuration for cross-origin Bayeux communication here.