There is often a need for a web application operating in a first domain to request information from a second domain. This is referred to as a cross-domain request. Due to security concerns, almost all client-side scripting languages (e.g., JavaScript®) have a same-origin policy. The XMLHttpRequest (XHR) application programming interface (API) available to various programming languages to make requests and receive responses also implements the same-origin policy. The same-origin policy prevents the originating domain from sending requests to a different domain and receiving a response. More specifically, the same-origin policy allows free access to the document object model (DOM) of a resource (e.g., a web page or web service) only if the target (i.e., destination) resource has the same host domain, protocol, and port number as the originating resource and prevents access to the DOM of a destination resource hosted in a different domain (i.e., having a different host, protocol, or port) than the originating resource.
A number of techniques to avoid the limitations imposed by the same-origin policy are available. Cross-origin resource sharing (CORS) is a draft standard that extends HTTP with new headers that allow a destination resource to explicitly specify the originating domains that can make requests to the server. While the proposed standard allows the use of a wildcard when specifying the originating domains to allow access from any domain, this introduces other limitations that may not be acceptable in some situations. For example, the use of the wildcard value “*” accepting any domain does not allow the request to supply credentials (i.e., secure socket layer (SSL) certificates) or cookies.
JavaScript Object Notation with Padding (JSONP) allows cross-domain requests without requiring the originating domain to be explicitly authorized by the destination resource. The JSONP response is typically JavaScript code that invokes a function call on JavaScript Object Notation (JSON) data. In other words, the JSONP response is a wrapper around the JSON data. This is accomplished by including a script element in the JSONP response that is dynamically injected into a hypertext markup language (HTML) document and loads the JSON data from the destination resource when executed in the originating domain. However, the use of JSONP puts the originating domain at risk. If the destination resource has any vulnerability that allows script code injection, the destination resource may be compromised (e.g., by malicious script code). When the script element in the response is executed, the originating domain is subject to attack from the malicious code.
It is with respect to these and other considerations that the present invention has been made. Although relatively specific problems have been discussed, it should be understood that the embodiments disclosed herein should not be limited to solving the specific problems identified in the background.