Cross Domain Request Pattern

I had a project where I needed to exchange data between two domains using AJAX. All major browsers don't allow cross-domain requests for security reasons. If you control both domains, you could use HTTP headers as described in Cross-Origin Resource Sharing. I tried it, and found that not all browsers support this standard. The good thing is that you can still do it with the following simple idea.
Consider two domains and Obviously, needs to get some data from

- First, we call from a hidden iframe

<iframe src="",
style="width:0;height:0;border:0px solid #fff;">

function proxy_done(reply)
... process reply from

The 'style' attribute hides the iframe. The ‘proxy_done’ function is called when the reply is ready. The iframe element with is not allowed to communicate with the parent page ( We just need to redirect it back to

- On, create request.html with something like the following.

<script language="javascript" type="text/javascript">
var reply = ... process the request and get reply
self.location.href="" + reply;

The script redirects the iframe along with the reply data back to a proxy page (see below) that resides at

- At this time, the original iframe element on contains proxy_page.html with the reply from Because proxy_page.html is on it can now access its parent page. Now, we can call the 'proxy_done' function, and pass it the reply.

echo '<script> var reply="'.$_GET['reply'].'"; </script>';

That's it.
Most likely you'd want to be able to call dynamically from your JavaScript application at To do that, just create the iframe element dynamically... document.createElement("iframe")...all this DOM stuff follows...


  1. echo '<script> var reply="'.$_GET['reply'].'"; </script>';

    That line is just BEGGING for a cross-site scripting attack!

  2. haha... nice 1 thanks for the idea :)