HTML and CSS Reference
Cross-domain policies you should be aware of
An HTTP request is called a cross-domain request when a page served from one
domain, for example, http://example.com , requires data from another, say ht-
tp://foo.com . By default, most browsers do not allow cross-domain requests of
data-be it data or flash assets- to prevent malicious access.
However, you can set a cross-domain policy file on the server (in the previous ex-
ample, the server where http://foo.com is served from), which allows browsers
to access these resources.
Flash requires this policy file to be specified in a file called crossdomain.xml ,
where you can specify which domains can make request of assets from the server.
This file is provided within HTML5 Boilerplate, and by default, the most restrictive
policy is enabled. If you do want the least restrictive policy, you can uncomment that
option and comment away the most restrictive one.
Do realize that you need to fully understand the implications of allowing cross-
domain requests for access to assets before you make it less restrictive.
You can also make cross-domain AJAX requests, or restrict access to images or
fonts, by setting an HTTP header. This is known as the Cross Origin Resource
Sharing ( CORS ) policy.
Cross-domain AJAX requests
AJAX requests can only be made if the requesting page is on the same domain as
the URL it is requesting data from. CORS is a new HTML5 feature that will allow
you to make AJAX requests from any domain, provided permission has been given
to the requesting domain. By setting an HTTP header on the server from which you
are requesting data using an AJAX request, you can overcome this limitation. Let us
look at how this can be done.