20. Allows for cross-origin ajax requests:
servers must opt-in
full support in all modern browsers
IE9/8 have partial support
no support for IE7 & older
21. XMLHttpRequest
methods: GET, POST, HEAD
headers: Accept, Accept-Language, Content-Language, Content-Type
Content-Type: text/plain, application/x-www-form-urlencoded,
multipart/form-data
request includes an Origin header
response must include an Access-Control-Allow-Origin header
response optionally includes Access-Control-Expose-Headers
22. XDomainRequest
IE 8-9
methods: GET, POST, HEAD
cannot send ANY headers!
request includes an Origin header
response must include an Access-Control-Allow-Origin header
no access to response headers
no access to response status
23. browser-preflighted XMLHttpRequest
methods: DELETE, PUT
or GET/POST w/ non-simple headers or Content-Type
browser "preflights" request (OPTIONS) w/ Origin, Access-Control-
Request-Method, & Access-Control-Request-Headers headers
server must respond with Access-Control-Allow-Origin, Access-Control-
Allow-Methods, & Access-Control-Allow-Headers headers
browser then sends the original request w/ Origin header
server must respond w/ Access-Control-Allow-Origin header
24. Not supported, but workarounds available for some cases:
DELETE/PUT method -> POST w/ _method param