4

if in the website http://www.mysite.com there's an external js file added as 

<script src="http://www.yoursite.com/new.js"></script>

within the http://www.yoursite.com/new.js js file, there's an ajax call to a script in http://www.yoursite.com/new.js

in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?

Improve this question

2 Answers 2

Reset to default
6

There will be a problem. new.js run in the scope of mysite.com, not yoursite.com.

EDIT: a more detailed explanation would be: when mysite.com is openning a tag, that script runs in the scope of the current page. The source of the script does not matter: it can be inline, local source, or remote source, it is still considered part of mysite.

As you know, scripts in mysite.com cannot access anything on yoursite.com due to the same origin policy. So you cannot do this.

As an advanced option for cross-origin communication look at jsonp. It will require yoursite.com to provide a special handling, but if you have control on both sites then this should not be a problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

in blog.timothyfisher.com/?p=277 there's a sentence -> "The cross-domain limitation means that you can only communicate from the browser back to the domain from which the JavaScript was served." so i got a doubt whether a script on an external javascript file can have access to the site from which the js file is served even though it's running on a different website.
@anish. Using the <script> tag, a web page can load a script from ANY online resource, correct? So, if the URL for this script tag contained data in its name like somesite.com/script.js?mydata=42&suchandsuch=12&..., and the server returned legal js, what is the problem? Now, if the legal javascript was in fact a JSON-encoded object, it could also be anything. If your legal JS was "callback(JSON_encoded_data)" then, once the script was executed by your browser, it would jsut stuff your data into your callback function. This is what JSONP does, exactly. Believe me, it works perfectly.
0

JSONP is precisely what you're looking for: http://en.wikipedia.org/wiki/JSON

The 5,000m overview is that JSONP uses the same mechanism for requesting external scripts as you're using above. The difference is that your server will recognise this and will package up the JSON response as the argument to a callback method. When your site receives this 'script', it executes it thereby returning the data directly into your callback method.

If you are able to use a framework like jQuery, most of the client side would be transparently handled for you. Check it out here: http://api.jquery.com/jQuery.getJSON/

Improve this answer

2 Comments

in blog.timothyfisher.com/?p=277 there's a sentence -> "The cross-domain limitation means that you can only communicate from the browser back to the domain from which the JavaScript was served." so i got a doubt whether a script on an external javascript file can have access to the site from which the js file is served even though it's running on a different website.
@anish-m. I'm not sure I understand what you've said, but I can assure you (since I've done it loads of times) that with JSONP you CAN effectively transmit and receive data (including arbitrary objects, etc.) to/from a third-party server. This (very) effectively gets around the same-origin policy that XMLHttpRequest is limited by (w3.org/TR/XMLHttpRequest).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.