While working on creating a bookmarklet for my new link sharing site, I ran in to a new solution to a common cross site scripting issue that allows POST requests to be sent from different originating sites.
Cross-Origin Resource Sharing (CORS) is a new mechanism for allowing sites to allow cross site scripting access with certain restrictions. A draft specification is available here: http://www.w3.org/TR/cors/. Essentially, CORS is a conversation you can choose to have with supporting browsers (IE8 and 9, Safari, and Chrome at this time) that will notify the browser that it should either allow or deny a specific request to a different originating server.
There are two ways this is handled:
So what does it take to get this working in Rails 3? Surprisingly, not all that much! The quick and dirty solution is as follows:
However, I would very much like to add broader support for the spec I linked to above, and plan on turning this in to some sort of plugin soon.