xssinterface: cross domain access using postMessage and more
Malte Ubl has put together a library called xssinterface (somewhat scary name) that uses postMessage when available, and tries work-arounds when not, to give you cross domain JavaScript access.
How it works
For Browsers that support it, we use the postMessage() interface.
For all other browsers, we use the following mechanism:
All sites that participate in the cross domain calls must provide an html file (cookie_setter.html) that is provided by this library that enables other domains to place certain cookie under the domain of the site.
The library uses this mechanism to place cookies on the target domain that are then read and evaluated by the target page.
Pages must explicitly grant access to their domain by setting a security token cookie under a domain that is allowed to access the callbacks.
As a caller you say:
var caller = new XSSInterface.Caller(“www.two.com”,“/cookie_setter.html”,“channel1″);
caller.call(“hello”, “Hello World”)
}
As the listener:
window.xssListener = new XSSInterface.Listener(“1234567890″,“channel1″);
window.xssListener.allowDomain(“www.one.com”, “/cookie_setter.html”);
window.xssListener.registerCallback(“hello”, function (msg) {alert(msg)} )
window.xssListener.startEventLoop()
}
It would be nice if the library used cross domain workers if Gears is installed.
