XSS/AJAX question - how do I send data? |
[eluser]taewoo[/eluser]
I'm writing an app using CodeIgniter and jQuery. It's an embeddable widget that can be embedded onto 3rd party sites. Say XYZ.com has my widget, which resides on MY-server.com. XYZ.com has a page which has this.. Code: script language="javascript" src="http://www.my-site.com/script.js" (Sorry for weird syntax... codeigniter forum protection i guess) Now, i've noiced that XYZ.com can PULL information from my-server.com, but cannot send info back. I'm guessing this has to do with XSS security. But i need to send data back to my server. Does anyone know how this is resolved? I'm sure this is a solved issue b/c Google/yahoo/msn map has already solved this...
[eluser]TheFuzzy0ne[/eluser]
I believe they load the content in an iFrame, and then use JavaScript to extract the data from it.
[eluser]taewoo[/eluser]
Kudos to you. blog entry about this.. But i'm still sorta having an issue sending back data... here's the code The "embed" code: Code: <HTML> http://www.my-server.com/callHome.js: Code: [removed]ln('<iframe id="callHomeFrame" name="callHomeFrame" style="width:0px; height:0px; border: 0px; display:none;" src="http://www.my-server.com/callHome.php"></iframe>'); http://www.my-server.com/callHome.php Code: <html> when I embed this onto any html in my-server.com.. it works. But anywhere, it fails.
[eluser]Dregond Rahl[/eluser]
Well iframe are protected in Firefox and you can't extract data from the iframe becuase of a different domain. So it depends on what type of information your sending and what information your trying to get. You can send a POST request or GET request Thru an iframe so it works, but getting the information retrieved is harder depending on what you are sending and receiving.
[eluser]slowgary[/eluser]
jQuery AJAX calls using JSONP work cross domain. Use this: Code: <script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js'></script> Change the domain, script and variables, but leave the "?callback=?" portion. In your server-side script you'd access the above example as $_GET['username'] and $_GET['userid']. Add as many parameters as you need.
[eluser]slowgary[/eluser]
I'd recommend creating a wrapper for the 3rd party use.
[eluser]taewoo[/eluser]
[quote author="slowgary" date="1242468920"] Change the domain, script and variables, but leave the "?callback=?" portion. In your server-side script you'd access the above example as $_GET['username'] and $_GET['userid']. Add as many parameters as you need.[/quote] Thanks slowgary (though u don't sound very "slow") What's the "callback" param for? Is that even necesary?
[eluser]slowgary[/eluser]
I'm not sure honestly, I just know it works. The jQuery documentation might have more info about that.
[eluser]taewoo[/eluser]
Thanks gary. this sorta explains... http://www.ibm.com/developerworks/library/wa-aj-jsonp1/ |
Welcome Guest, Not a member yet? Register Sign In |