xssinterface: cross domain access using postMessage and more
Date : 2008 02 29 Category : Tech & Development
AjaxianMalte Ubl has put together a library called xssinterface (somewhat scary name) that uses postMessage when available, and tries work-arounds when not, to give you cross domain JavaScript access.
How it works
For Browsers that support it, we use the postMessage() interface.
For all other browsers, we use the following mechanism:
All sites that participate in the cross domain calls must provide an html file (cookie_setter.html) that is provided by this library that enables other domains to place certain cookie under the domain of the site.
The library uses this mechanism to place cookies on the target domain that are then read and evaluated by the target page.
Pages must explicitly grant access to their domain by setting a security token cookie under a domain that is allowed to access the callbacks.
As a caller you say:
PLAIN TEXT JAVASCRIPT:function sayHello() {
var caller = new XSSInterface.Caller("www.two.com","/cookie_setter.html","channel1");
caller.call("hello", "Hello World")
}
As the listener:
PLAIN TEXT JAVASCRIPT:window.onload = function () {
window.xssListener = new XSSInterface.Listener("1234567890","channel1");
window.xssListener.allowDomain("www.one.com", "/cookie_setter.html");
window.xssListener.registerCallback("hello", function (msg) {alert(msg)} )
window.xssListener.startEventLoop()
}
It would be nice if the library used cross domain workers if Gears is installed.