I was playing around with my API for FAP and made a very simple, 7kb, browser-based mass upload tool. Permissions and authentication are verified with JSON on the client side and files are uploaded using a plain POST request. Easy enough.
The problem came when I was trying to get my script to POST to the API. Asynchronous cross domain requests aren’t permitted in most browsers. It’s a serious security risk.
My solution: the iframe.
By targeting all POST requests to an invisible iframe the cross domain issue is no longer a problem.
You can even check progress with the onload() event.