[axanoeychron]

This is an interesting hack: a host script can communicate with scripts in an iframe via the postMessage API and relying on the fact that a script running in the frame can make same-domain requests.

I am worried that people will choose this option just because it is easier rather than use what is technically the right thing to do. (CORS) Please don't use this unless you really have to. The arguments against CORS in the Readme aren't really compelling. The web is messy enough as it is.

[jabo]

    > Please don't use this unless you really have to

CORS is not fully supported in older versions of IE. So that essentially means that we need to resort to these hacks just for IE.

[jpillora]

It would be nice if we could forego these hacks, as @jabo mentioned, hacking around lack of support is our only choice. If it's not iframe+postMessage, then it'd be flash - either way it's suboptimal.