XMLHttpRequest in Safari/Dashboard/WebKit

According to Apple themselves, at this link http://developer.apple.com/internet/webcontent/xmlhttpreq.html (under Security Issues), the XMLHttpRequest object cannot be used to make cross-domain requests. However, I've seen tutorials like this http://www.oreillynet.com/pub/a/mac/2005/06/07/dashboard.html and actual working dashboard widgets like Twidget (http://www.frankmanno.com/widgets/twidget/) that use the object to call web services on another domain.

So, needless to say, I'm confused. Does Safari/Dashboard/WebKit somehow proxy the request? If I download Twidget and run it in Safari, it works fine, but if I run it in Firefox using Firebug, it gives me a Permission Denied error in the console when trying to make the XMLHttpRequest.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

b0lsc0ttIT ManagerCommented:
I am not a Safari expert and right now it is pretty hard for me to get firsthand info on it or play with it.  However I do know Javascript and the browser security issues you mention.  A proxy could be one way around this but it is usually done with signed or "trusted" scripts.  The browser, its security, and the way it uses Javascript affects this so a solution for Safari might not work the same way in IE, Firefox, Opera, etc.  The location of the script and page (i.e. intranet, Internet, local) can also affect this.  In other words the browsers will allow more things when the page and script are local or in an intranet than if it is an Internet webpage.

This should clear things up at least a bit.  Let me know what additional info you need or what other questions you have.  I can elaborate on most of what I mentioned so just need to let me know.  If you want more info on signed scripts, etc then let me know.

lukeinjaxAuthor Commented:
Well, I kind of suspected that there was something in Safari that allowed XMLHttpRequests from localhost, but I wasn't able to find anything on the web that says so. There isn't a whole lot of stuff out there on developing Dashboard widgets, and certainly nothing that I could find that went into the details about how/why XMLHttpRequests seem to work from Dashboard, but not from other hosts in Safari. Is there anything out there that can explain this a little better?
b0lsc0ttIT ManagerCommented:
The security is browser dependent but I doubt that Safari is the thing that allows it, at least directly.  I haven't been able to find details and I am not a Safari expert and have little experience with Dashboard but I can go off of my general experience with browsers and that object.  Dashboard is adding or extending the ability of the browser.  Basically to the browser it still looks local because Dashboard or the widget is used.  This isn't unique to Safari and Dashboard.  Let me know if you aren't sure what I mean.

If you want details on developing a widget then you can try to ask another question in the Safari zone or another more appropriate zone.  Let me know how this helps or if you have a question.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mac OS X

From novice to tech pro — start learning today.