Gruber linked to a pretty neat free API earlier today that returns a city and state when you send it a zip code, the service's main idea being to encourage web designers & developers to stop building forms requesting more information than required (since city & state can generally be ascertained from a zip code).

It's a cool API/service, but the most interesting part is how the API functions on the client side:

This is a pretty standard XHR used in client-side HTML or a script. The unique part is the remote resource being referenced in the open() method.

Web developers are taught that the XHR object when used in browsers restricts the retrieval of material from outside the domain, the idea being to prevent malicious cross site scripting.

A popular and possibly still underutilized method is via JSONP, 'JSON with padding', which retrieves a remote resource as a script and injects it into the page. But, Ziptastic's API is far simpler than that, and JSONP would add an overhead that they're probably not looking for.

So, how do they do it? It's actually pretty simple, just using a specific HTTP header.

The browser sending the request uses the returned resource, because the request's Origin header matches the wildcard value set up on the remote server:

This HTTP header is super handy for when you're working with material on multiple domains and have a need for your own XSS in your app.

For more information on access control headers and what you can do with them, check out Mozilla's awesome doc page on them.

Note: most developers recommend against doing something like this, but it's up to you to qualify best practice.

Javascript's String object has a variety of useful built-in methods for manipulating strings of text, but while `match`, `replace`, and `search` offer basic filtering capabilities via regular expressions, there's no way to return true/false based on the expression outcome.

Of course, you can just add your own validation method to the global String object:

This is a pretty basic example, but you can add whatever regex you might need for the validation you're handling, and probably significantly reduce the amount of code you'll need in your app by eliminating the need for yet another third party jQuery plugin.

For TLS/SSL support, Node of course requires the appropriate dependencies. Strangely, the node configure script will still report the following with openssl-devel installed on CentOS.

This is easily resolved by installing the curl-devel package and running the configure script again.

If for some reason you want to remove the curl-devel package, you can and Node's configure script should still locate OpenSSL without an issue.

Here's a simple example of how socket.io's broadcasting feature functions. Each time an instance of the page is opened or closed on a global level (after the first), it's written to the page.

• gist.github.com/1325282
• raw: index.html server.js
• example: luk.no.de - try opening up multiple tabs then closing them while watching the first.

Socket.io detects and leverages the best option for the connection based on the capabilities of your browser. In some cases, that may be a flash socket. If you (like me) do not have flash installed in your browser, another transport is used. Clearly, there are a lot of possibilities with something like this, and the API is easy to use since it sticks to Node's Javascript conventions.

Node.js v0.4.12 x86

- Installs node, node-waf to /usr/local/bin
- Installs node man page to /usr/local/share/man/man1

Built this evening, use at your own risk.

DISCLAIMER: This package has NO WARRANTY, and has nothing to do with the official Node.js project or Joyent (other than containing their software). This package will be out of date before you know it, and you should probably only use it for buggy development purposes, or not at all.

Note: I'm not able to offer support if this does not work for you, but I may be able to help with questions (inconsistently) on Twitter, @st_luke.