Hi,

There's also a flash-based approach: http://www.grouplite.com/f4a/

- Lloyd

--Lloyd Dalton 13:52, 20 December 2007 (MST)

This site has a very detailed explanation of the same origin policy and associated risks: http://taossa.com/index.php/2007/02/08/same-origin-policy/ You might want to mention it as a more thorough reference.

--Anonymous 15:10, 21 December 2007 (MST)

Hi Lloyd,

That's a very interesting piece of software. In my research for this series, I found several mentions of a Flash based solution, and even some (bad) implementations. Unfortunately I hadn't come across that one in particular.

Thanks for the tip! I'll definitely give that one a shot.

--Jimbojw 16:15, 21 December 2007 (MST)

Hi Anonymous,

While researching for this article mini-series, I did come across that article. You're absolutely right that it's a very thorough resource describing the same origin policy and attacks against it.

Thanks for commenting!

--Jimbojw 16:17, 21 December 2007 (MST)

can anybody give me code for cross domains access of ajax script???? thanx in advance

--vaibhav 22:28, 11 February 2008 (MST)

I'm trying to call this API which returns a JSON object... http://developer.whitepages.com/docs/JSON

But I can't due to the restrictions of cross-domain calls mentioned above. I'm new to using JSON (and cross-domain calls) and was wondering if you have any ideas how I can call the whitepages API from a website on a different domain. Am I missing something easy? Or can it just not be done for security reasons? Thanks!

--Matt 15:07, 10 April 2008 (MST)

Hi Matt,

Well, there is a way to pull Json data in a cross-domain fashion, but it only works in Firefox 2.0, and it requires a bit of very clever JavaScript (overloading the Array constructor temporarily, then reverting it).

If you want to do cross-domain Ajax, you'll want to use a technique referred to as On-Demand JavaScript in which the data service will return not just the JSON data, but a little chunk of wrapper code right in front.

So for example, instead of returning:

{"key":"value","foo":"bar"}

It would return something like this:

callback({"key":"value","foo":"bar"});

Then, the caller script would assign a new function to callback like so:

window.callback = function( obj ) {
  alert( "key = " + obj.key ); // Alerts "value"
  alert( "foo = " + obj.foo ); // Alerts "bar"
}

Prefixing the JSON in that fashion has been refered to as JSONP, and can be done by having the web service take an additional "callback" parameter to define what should be placed in front.

This is how Yahoo APIs work in fact, they take a URL param called _callback for JavaScript based web services. Yahoo Pipes is one such example service.

--Jimbojw 14:58, 11 April 2008 (MST)

What about this little gem:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

doesn't that just make it all wide open? Are there security risks associated with this?

I actually found this code on americanexpress.com

--spb@doctorunix.com 10:16, 21 April 2008 (MST)

You do not strictly have to use JSON for cross domain Javascript. As a rule of thumb you cannot directly access the javascript from one domain to the other. However you can pass messages and data across which can then accordingly trigger events in the javascript.

One way is to the use a proxy in between the two domains and relay an AJAX request to the other domain through the proxy. A detailed article on it is on http://www.mabaloo.com/Web-Development/Pear-HTTP-Request-A-Cross-Domain-AJAX-focused-tutorial.html

--Girish Singh 12:20, 3 May 2008 (MST)

Another way which does not involve a proxy but uses Iframes is by using the URL hash. http://www.mabaloo.com/Web-Development/Cross-Domain-Message-Passing-using-Iframe.html

--Girish Singh 12:20, 3 May 2008 (MST)