Janky.post: Making cross-domain possible in javascript one request at a time (opens in new tab)

(saunter.org)

14 pointspyronicide15y ago9 comments

9 comments

9 comments · 5 top-level

rsoto15y ago· 2 in thread

Pretty interesting, but it seems like it doesn't work with FF4 b8.

Since it uses an iframe, it'll be interesting to know what happens on a site that detects that.

pyronicideOP15y ago

The one browser that I didn't test in, gah! Let's see what I can do about that ...

edit: It's fixed now, that's what I get for not reading the removeEventListener docs.

rsoto15y ago

Whoa, that was pretty quick. Thanks!

samstokes15y ago· 1 in thread

This is pretty cool. (tl;dr summary: creates a hidden iframe with a form pointing to the remote domain, submits the form, and uses postMessage to send the result back to the parent frame.)

We experimented with something similar a while ago, but found that creating and destroying all those iframes could slow down older browsers. (Our use case potentially required sending requests relatively frequently.) Have you observed anything like that with this technique?

pyronicideOP15y ago

I've not done much profiling/performance (especially on older browsers) yet. My use case for the whole thing was to do a fire and forget POST to a separate domain.

Honestly, flash might be the best solution for something like you're talking about. I was just going for something with almost no dependencies that was stupidly simple.

makmanalp15y ago· 1 in thread

Hold up, aren't cross-domain requests disallowed for a good reason (security)? I get that Access-Control is unsupported in old IE, but gosh, doesn't it make way more sense?

pyronicideOP15y ago

The reason that cross-domain requests are disallowed has to do almost entirely with cookies. The concern is that since almost everyone uses cookies for identity, it is possible (without the cross-domain barrier) for a random web page to tell the browser to go fetch all their secret data and then return it to the malicious page.

This whole thing isn't an issue any longer if the server containing the secret data is expecting random people to access it and implements auth with something more than cookies. Take a look at Twitter and Facebook. They both allow cross-domain requests.

janky.post will only work if the server is expecting the request (it won't allow arbitrary requests to anything on the remote server) and then, it's up to the remote site's engineers to make these endpoints secure.

jtchang15y ago

At one point one has to step back and ask what the hell we've created.

I mean really: creating hidden iframes with onload actions that post to another domain. I don't know whether to be proud of our ingenuity or sad that this is the cutting edge of interprocess communication for the web.

dedward15y ago

Security is a big one here - doing a <Script src=> include from another domain might be really convenient for getting around cross-domain limits - but if that remote server has been compromised, or if it's run by dodgy individuals, they now have complete control of your webpage and can do incalculable damage to your business.

j / k navigate · click thread line to collapse

9 comments

9 comments · 5 top-level

rsoto15y ago· 2 in thread

Pretty interesting, but it seems like it doesn't work with FF4 b8.

Since it uses an iframe, it'll be interesting to know what happens on a site that detects that.

pyronicideOP15y ago

The one browser that I didn't test in, gah! Let's see what I can do about that ...

edit: It's fixed now, that's what I get for not reading the removeEventListener docs.

rsoto15y ago

Whoa, that was pretty quick. Thanks!

samstokes15y ago· 1 in thread

This is pretty cool. (tl;dr summary: creates a hidden iframe with a form pointing to the remote domain, submits the form, and uses postMessage to send the result back to the parent frame.)

pyronicideOP15y ago

I've not done much profiling/performance (especially on older browsers) yet. My use case for the whole thing was to do a fire and forget POST to a separate domain.

Honestly, flash might be the best solution for something like you're talking about. I was just going for something with almost no dependencies that was stupidly simple.

makmanalp15y ago· 1 in thread

Hold up, aren't cross-domain requests disallowed for a good reason (security)? I get that Access-Control is unsupported in old IE, but gosh, doesn't it make way more sense?

pyronicideOP15y ago

jtchang15y ago

At one point one has to step back and ask what the hell we've created.

dedward15y ago

j / k navigate · click thread line to collapse