It's our own existing auth service (and I'm not on the implementation team). Most other usages of this service are not directly from the browser, but from the back-end via java. I thought about proxying it via my service, but my service isn't SSL, so proxying still doesn't give me security anyway. I guess now I'm thinking maybe a small Flash component could be used to obtain the security token, as a cross-domain.xml installed on the server will allow Flash to cross domains. Not ideal.
On Wed, Oct 21, 2009 at 7:48 PM, Dave Methvin <dave.meth...@gmail.com>wrote: > > > That's correct, the problem is that it's an authentication service and > while > > I *could* put the credentials on the URL, it would be sending them in the > > clear across the internet, which is not acceptable. > > That's a tough one. A typical jsonp implementation uses either iframes > or (in jQuery's $.ajax case) a dynamically-inserted script tag. > Neither allows you to affect the header that's sent. And of course > XMLHTTPRequest lets you jiggle headers but doesn't allow cross-domain > requests. > > Are you implementing your own cross-domain authentication service, or > are you using some other service?
