XSS/AJAX question - how do I send data?

[eluser]taewoo[/eluser]
I'm writing an app using CodeIgniter and jQuery. It's an embeddable widget that can be embedded onto 3rd party sites.

Say XYZ.com has my widget, which resides on MY-server.com. XYZ.com has a page which has this..

Code:

script language="javascript" src="http://www.my-site.com/script.js"

(Sorry for weird syntax... codeigniter forum protection i guess)


Now, i've noiced that XYZ.com can PULL information from my-server.com, but cannot send info back. I'm guessing this has to do with XSS security. But i need to send data back to my server.

Does anyone know how this is resolved? I'm sure this is a solved issue b/c Google/yahoo/msn map has already solved this...

[eluser]TheFuzzy0ne[/eluser]
I believe they load the content in an iFrame, and then use JavaScript to extract the data from it.

[eluser]taewoo[/eluser]
Kudos to you.
blog entry about this..

But i'm still sorta having an issue sending back data... here's the code

The "embed" code:

Code:

<HTML>
<BODY>
<p><a >Yes</a></p>
<a href="http://www.htmlcodetutorial.com/help">HTML Code Tutorial</a>
&lt;/BODY&gt;

script language="javascript" src="http://www.my-server.com/callHome.js"
&lt;/HTML&gt;

http://www.my-server.com/callHome.js:

Code:

[removed]ln('<iframe id="callHomeFrame" name="callHomeFrame" style="width:0px; height:0px; border: 0px; display:none;" src="http://www.my-server.com/callHome.php"></iframe>');

var hrefs=document.getElementsByTagName('a');
for(var i=0;i<hrefs.length;i++){
    //if(hrefs[i].href.match(/result.php/g) !=null) {

    var td = hrefs[i];
    if( td.attachEvent ){
        td.attachEvent('onclick', 'top.frames["callHomeFrame"].callHome(\''+hrefs[i].href+'\')');
    } else {
        td.setAttribute('onclick', 'top.frames["callHomeFrame"].callHome(\''+hrefs[i].href+'\')');
    }

}

http://www.my-server.com/callHome.php

Code:

<html>
<head>
script language="javascript"

var callHomeURL='http://www.my-server.org/home.php';
function callHome(data)
{
var n =callHomeURL + "?uri=" + urlencode(data);
location.href = n;
}
/script
</head>
</html>

when I embed this onto any html in my-server.com.. it works. But anywhere, it fails.

[eluser]Dregond Rahl[/eluser]
Well iframe are protected in Firefox and you can't extract data from the iframe becuase of a different domain. So it depends on what type of information your sending and what information your trying to get. You can send a POST request or GET request Thru an iframe so it works, but getting the information retrieved is harder depending on what you are sending and receiving.

[eluser]slowgary[/eluser]
jQuery AJAX calls using JSONP work cross domain. Use this:

Code:

<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js'></script>
<script type='text/javascript'>
$.getJSON('http://www.my-server.com/server.php?callback=?', {username : 'bob', userid : 54321 });
</script>

Change the domain, script and variables, but leave the "?callback=?" portion. In your server-side script you'd access the above example as $_GET['username'] and $_GET['userid']. Add as many parameters as you need.

[eluser]slowgary[/eluser]
I'd recommend creating a wrapper for the 3rd party use.

[eluser]taewoo[/eluser]
[quote author="slowgary" date="1242468920"]
Change the domain, script and variables, but leave the "?callback=?" portion. In your server-side script you'd access the above example as $_GET['username'] and $_GET['userid']. Add as many parameters as you need.[/quote]

Thanks slowgary (though u don't sound very "slow")

What's the "callback" param for? Is that even necesary?

[eluser]slowgary[/eluser]
I'm not sure honestly, I just know it works. The jQuery documentation might have more info about that.

[eluser]taewoo[/eluser]
Thanks gary.
this sorta explains... http://www.ibm.com/developerworks/library/wa-aj-jsonp1/