Ajaxian

Jobs @ Ajaxian

Find a Job, Post a job.

Topics

.NET (68)
3D (3)
Accessibility (57)
Adobe (88)
Advertising (3)
Ajax (383)
Ajaxian.com Announcements (15)
Android (2)
Announcements (96)
Appcelerator (2)
Apple (15)
Aptana (30)
Articles (216)
Atlas (8)
Bespin (6)
Book Reviews (21)
Bookmarklets (2)
Books (33)
Browsers (232)
Builds (4)
Business (16)
Calendar (12)
Canvas (141)
Cappuccino (8)
Chat (23)
Chrome (13)
Closure (3)
Cloud (4)
ColdFusion (10)
Comet (67)
Component (124)
Conferences (44)
Contests (1)
CSS (204)
Database (15)
Debugging (45)
Design (24)
Dojo (226)
DWR (17)
eBooks (1)
Editorial (288)
Email (5)
Examples (193)
Ext (81)
Firefox (105)
Flash (84)
Framework (71)
Fun (97)
Games (75)
Gears (69)
Geo (3)
Google (161)
- Chrome Frame (1)
GWT (85)
HTML (98)
IE (144)
Interview (28)
iPhone (65)
Java (156)
JavaScript (1302)
jMaki (7)
jQuery (171)
JSON (64)
Library (553)
LiveEdit (5)
LiveSearch (17)
Mac (1)
Mapping (43)
Microformat (5)
Microsoft (48)
Mobile (77)
MooTools (56)
Mozilla (22)
Office (9)
Offline (30)
OpenAjax (6)
OpenWebPodcast (5)
Opera (23)
Performance (163)
Perl (8)
PHP (89)
Plugins (12)
Podcasts (39)
Portal (13)
Pragmatic Ajax (2)
Presentation (67)
Programming (134)
Prototype (224)
Python (14)
Qooxdoo (8)
Rails (41)
Recording (8)
Remoting (19)
RichTextWidget (20)
Roundup (13)
Ruby (68)
Runtime (2)
Safari (53)
Screencast (40)
Scriptaculous (42)
Security (93)
Server (23)
Showcase (720)
Social Networks (15)
Sound (16)
SproutCore (1)
Standards (69)
Storage (5)
Survey (13)
SVG (37)
Testing (61)
The Ajax Experience (89)
TIBCO (25)
Tip (88)
Titanium (1)
Toolkit (172)
Tutorial (25)
Typography (2)
UI (125)
Unobtrusive JS (22)
Usability (83)
Utility (211)
Video (18)
View Source (2)
W3C (11)
Web20 (25)
WebOS (3)
Widgets (12)
Workshop (8)
XmlHttpRequest (43)
Yahoo! (146)
YUI (4)

xssinterface: cross domain access using postMessage and more

Malte Ubl has put together a library called xssinterface (somewhat scary name) that uses postMessage when available, and tries work-arounds when not, to give you cross domain JavaScript access.

How it works

For Browsers that support it, we use the postMessage() interface.

For all other browsers, we use the following mechanism:

All sites that participate in the cross domain calls must provide an html file (cookie_setter.html) that is provided by this library that enables other domains to place certain cookie under the domain of the site.

The library uses this mechanism to place cookies on the target domain that are then read and evaluated by the target page.

Pages must explicitly grant access to their domain by setting a security token cookie under a domain that is allowed to access the callbacks.

As a caller you say:

PLAIN TEXT

JAVASCRIPT:

function sayHello() {
var caller = new XSSInterface.Caller("www.two.com","/cookie_setter.html","channel1");
caller.call("hello", "Hello World")
}

As the listener:

PLAIN TEXT

JAVASCRIPT:

window.onload = function () {
window.xssListener = new XSSInterface.Listener("1234567890","channel1");
window.xssListener.allowDomain("www.one.com", "/cookie_setter.html");
window.xssListener.registerCallback("hello", function (msg) {alert(msg)} )
window.xssListener.startEventLoop()
}

It would be nice if the library used cross domain workers if Gears is installed.

Posted by Dion Almaer at 8:14 am
6 Comments

4.1 rating from 10 votes

6 Comments »

Comments feed TrackBack URI

This looks pretty cool. Could this be used to revive html-inline style Google Widgets or Facecook Apps without the security problems?

Mike

Comment by MikeSH12 — February 29, 2008

Hey, thanks for the post. Actually, I’m not sure whether this could be implemented (nicely) via Google Gears dross domain workers. I guess one could ask the cross domain worker to store a message on the local store and then have another non-cross-origin worker look for those messages.

Comment by Malde — February 29, 2008

Whats the pain with crossdomain info?
Using javascript seem to resolve the matter quite nicely..

Comment by Mikael Bergkvist — February 29, 2008