10

I have an environment that doesn't allow server side scripting really (it is extremely difficult to get a script "installed" on the server). I tried using an iframe to violate javascript's same origin poilcy; however, that didn't work. Are there any other workarounds I am not aware of?

Thanks!

Improve this question
6
  • What browser(s)? How exactly did you try this? Post code? Commented Jan 14, 2010 at 19:42
  • JSON-P is the simplest solution, and the only one (AFAIK) that doesn't require browser plugins (such as Flash). This does require the cooperation of whomever runs the different origin site. Commented Jan 14, 2010 at 19:45
  • 1
    This question is probably the most frequently asked question here! A search would have brought up numerous answers. You need control over the scripts and pages on both domains (if you aren't able to edit content on both domains, you won't be able to do it), and need to either use a framework such as easyxdm.net or search for "cross domain messaging communications". HTML5 spec does have a postMessage method, but if you rely solely on this, it won't work in most browsers, so you'd need to fall back to an older "hack" method - why not just let a framework take care of this for you? Commented Jan 14, 2010 at 20:32
  • Sooo as an update. I found out about: YQL from ajaxian.com/archives/using-yql-as-a-proxy-for-cross-domain-ajax It will grab whatever url you specify and wrap it in JSON and return back. You could then use jquery's getJSON function to grab that url. It seems to be working :)! Commented Feb 9, 2010 at 17:42
  • Just use easyXDM, it's a library that enables cross-domain messaging with very little coding, and it doesn't need any server components. Commented Feb 15, 2010 at 22:56

2 Answers 2

Reset to default
29

As David Dorward mentioned, JSON-P is the simplest and fastest; however, there is another trick, specifically using two iframes.

Two get around this issue without using JSONP, you can do the following. This technique assumes that you have some sort of development access to the parent page.

There are three pages on two domains/sites.

  1. Parent page
  2. Content page
  3. Cross-domain communication page (aka "xdcomm")

Pages the parent and xdcomm pages are hosted on the same domain, the content page is hosted on any other domain. The content page is embedded as an iframe in the parent page and the xdcomm page is embedded as a hidden iframe in the content page.

enter image description here

The xdcomm page contains a very simple script that detects GET parameters in the query string, parses that string for method and args variables (where args is a JSON encoded string), and then executes the specified method with the specified arguments in the parent page. An example can be seen here (view source).

Even though JavaScript's Same Origin Policy restricts code on one domain from accessing that of another, it doesn't matter if domains are nested within each other (domain A, nested within domain B, nested within domain A).

So, in a nutshell, the content page sends messages to the parent page via the xdcomm page by changing the source of the iframe to something like http://domaina.com/xdcomm.html?src=foo&args=[1,2,3,4]. This would be equivalent to executing foo(1,2,3,4) in the parent page.

Also, know that there are already libraries that help you with this, such as easyxdm. What I've explained here is the basis of one of the techniques that they use, and while it might not be as fancy, it is certainly a fully functioning and lightweight implementation.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Actually yea please tell me!! :)
I'm actually going to write up something rather complete. Check back later.
Could you please provide working example, or link me to 1 already existing? - (I'd be greatly glad). I'm interested in pure JavaScript solution, without libs, scriplets or anything like that. I tried to find examples by my own. Sadly, best what I have found is this solution - ternarylabs.com/2011/03/27/… - but i can not see how I could use it, to mine data from external server used in embedded iframe. If fulfilling my request is somewhat impossible, please tell me, I`ll create a new question.
@Justin Johnson, nope, but it wouldn't help - I had no way to modify / add helper (or so on) to external server, that I wanted to connect, so Iframes were no use. I managed to solve my issue with jsonp which was allowed there.
easyXDM didn't seem easy at all to me. It is a quite heavy library, got dizzy looking at its code folder, could not find a simple example of "get json from a cross domain", and it seems to ultimately depend on Flash. I end up using YQL as explained below.
|
2

Hopefully not, as it would be a security hole! :)

But if both your sites are subdomains on the same domain, maybe document.domain can help.

Improve this answer

4 Comments

So if my domain is awesome.yahoo.com, for instance, and i am trying to access bob.yahoo.com, i could set document.domain to yahoo.com and then be able to access bob.yahoo.com?
Also I do realize it is a security hole; however, I was hoping that there was a hole hahaha. If you think about it using a proxy allows for a workaround. I dont understand why using a proxy is allowed while just accessing the file directly is not allowed. Also I heard html 5 has some attributes that also allows for cross-domain stuff.
A proxy won't send the users cookies or any other authentication data to the remote site - since it can't know what they are. It can only get data that the site could get anyway. It can't pretend to be the user. There is ongoing work to develop a permissions system so that XHR can access remote sites, browser support is currently weak.
Ahhh that makes sense. I had not considered that type of stuff.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.