Monday, December 5th, 2005

Dynodes: Cross-Domain JS Demo

Category: JavaScript, Programming, XmlHttpRequest

Another cross-domain scripting effort: Dynodes is a demo of cross-domain scripting using the On-Demand Javascript trick. It’s “Dynodes” because the script tag is created via DOM manipulation.


var remoteScript=document.createElement('script');
remoteScript.id = 'rs';
remoteScript.setAttribute('type','text/javascript');
remoteScript.setAttribute('src','http://www.speculations.com/bar_js.php');
var hd=document.getElementsByTagName('head')[0];
// Gotcha: set attribute and src BEFORE appending, or Safari won't work
hd.appendChild(remoteScript);

The script tag is repeatedly created and deleted each time a call occurs. After some monitoring with the the task manager, Kent believes the effect on memory is not excessive.

He also notes that we need some kind of loading indicator. XMLHttprequest will tell you when the remote content is loaded, but how can we know when a script is loaded. Running a check inside a loop seems too brute-force. ecmanaut recently asked about an “onload” mechanism for remote script downloading. One idea is to design the remote Javsascript so that it calls an event handler when it’s been loaded, assuming a degree of control over the remote script.

Beware of the security risk with this technique – JSON inventor Douglas Crockford is quoted:

That (remote) script can deliver the data, but it runs with the same authority as scripts on the base page, so it is able steal cookies or misuse the authorization of the user with the server. A rogue script can do destructive things to the relationship between the user and the base server.

It is safe in the particular example that Kent shows, but it is extremely dangerous in other patterns. Be extremely cautious in your own use, and even more cautious in teaching it outside. The unrestricted script tag hack is the last big security hole in browsers. It cannot be easily fixed because the whole advertising infrastructure depends on the hole. Be very cautious.

Posted by Michael Mahemoff at 3:46 pm
1 Comment

+++--
3.6 rating from 20 votes

1 Comment »

Comments feed

I implemented something similar for Tagneto, the Dynamic Script Request API:

http://tagneto.org/how/reference/js/DynamicScriptRequest.html

It specifies callbacks, and even supports a mechanism to send long requests to the server by segmenting them across multiple requests.

There is a test page here:

http://tagneto.org/test/test/jstest/srvrscripttest/Test.html
(The addUsingServerCallback Test)

The “server” page in this test is really just a static JS file that parsing the SCRIPT SRC tags to get the _partOk and _ok callbacks.

Comment by James — December 5, 2005

Leave a comment

You must be logged in to post a comment.