

Janky.post: Making cross-domain possible in javascript one request at a time - pyronicide
http://saunter.org/janky.post/

======
jtchang
At one point one has to step back and ask what the hell we've created.

I mean really: creating hidden iframes with onload actions that post to
another domain. I don't know whether to be proud of our ingenuity or sad that
this is the cutting edge of interprocess communication for the web.

------
samstokes
This is pretty cool. (tl;dr summary: creates a hidden iframe with a form
pointing to the remote domain, submits the form, and uses postMessage to send
the result back to the parent frame.)

We experimented with something similar a while ago, but found that creating
and destroying all those iframes could slow down older browsers. (Our use case
potentially required sending requests relatively frequently.) Have you
observed anything like that with this technique?

~~~
pyronicide
I've not done much profiling/performance (especially on older browsers) yet.
My use case for the whole thing was to do a fire and forget POST to a separate
domain.

Honestly, flash might be the best solution for something like you're talking
about. I was just going for something with almost no dependencies that was
stupidly simple.

------
dedward
Security is a big one here - doing a <Script src=> include from another domain
might be really convenient for getting around cross-domain limits - but if
that remote server has been compromised, or if it's run by dodgy individuals,
they now have complete control of your webpage and can do incalculable damage
to your business.

------
makmanalp
Hold up, aren't cross-domain requests disallowed for a good reason (security)?
I get that Access-Control is unsupported in old IE, but gosh, doesn't it make
way more sense?

~~~
pyronicide
The reason that cross-domain requests are disallowed has to do almost entirely
with cookies. The concern is that since almost everyone uses cookies for
identity, it is possible (without the cross-domain barrier) for a random web
page to tell the browser to go fetch all their secret data and then return it
to the malicious page.

This whole thing isn't an issue any longer if the server containing the secret
data is expecting random people to access it and implements auth with
something more than cookies. Take a look at Twitter and Facebook. They both
allow cross-domain requests.

janky.post will only work if the server is expecting the request (it won't
allow arbitrary requests to anything on the remote server) and then, it's up
to the remote site's engineers to make these endpoints secure.

------
rsoto
Pretty interesting, but it seems like it doesn't work with FF4 b8.

Since it uses an iframe, it'll be interesting to know what happens on a site
that detects that.

~~~
pyronicide
The one browser that I didn't test in, gah! Let's see what I can do about that
...

edit: It's fixed now, that's what I get for not reading the
removeEventListener docs.

~~~
rsoto
Whoa, that was pretty quick. Thanks!

