Friday, February 29th, 2008

xssinterface: cross domain access using postMessage and more

Category: JavaScript, Security

Malte Ubl has put together a library called xssinterface (somewhat scary name) that uses postMessage when available, and tries work-arounds when not, to give you cross domain JavaScript access.

How it works

For Browsers that support it, we use the postMessage() interface.

For all other browsers, we use the following mechanism:

All sites that participate in the cross domain calls must provide an html file (cookie_setter.html) that is provided by this library that enables other domains to place certain cookie under the domain of the site.

The library uses this mechanism to place cookies on the target domain that are then read and evaluated by the target page.

Pages must explicitly grant access to their domain by setting a security token cookie under a domain that is allowed to access the callbacks.

As a caller you say:


  1. function sayHello() {
  2.   var caller = new XSSInterface.Caller("","/cookie_setter.html","channel1");
  3."hello", "Hello World")
  4. }

As the listener:


  1. window.onload = function () {
  2.   window.xssListener = new XSSInterface.Listener("1234567890","channel1");
  3.   window.xssListener.allowDomain("", "/cookie_setter.html");
  4.   window.xssListener.registerCallback("hello", function (msg) {alert(msg)} )
  5.   window.xssListener.startEventLoop()
  6. }

It would be nice if the library used cross domain workers if Gears is installed.

Posted by Dion Almaer at 8:14 am

3.8 rating from 12 votes


Comments feed TrackBack URI

This looks pretty cool. Could this be used to revive html-inline style Google Widgets or Facecook Apps without the security problems?


Comment by MikeSH12 — February 29, 2008

Hey, thanks for the post. Actually, I’m not sure whether this could be implemented (nicely) via Google Gears dross domain workers. I guess one could ask the cross domain worker to store a message on the local store and then have another non-cross-origin worker look for those messages.

Comment by Malde — February 29, 2008

Whats the pain with crossdomain info?
Using javascript seem to resolve the matter quite nicely..

Comment by Mikael Bergkvist — February 29, 2008

Thanks for the hint to google gears. It is now implemented in trunk :)

Comment by Malde — March 1, 2008

I see it is sending data through the GET data it sends to cookie_setter.html.

Can it send more data in IE than the 2048 post character limit?

Comment by JustinMeyer — March 3, 2008

Tried on but no l uck

Comment by thinkprabhu — March 5, 2008

Leave a comment

You must be logged in to post a comment.