Time to Rethink the Cross-Domain Javascript situation

Joe Walker worries about Operator Overloading in Javascript. Though I’m not sure I see an immediate attack, I think Joe is worried about the right thing: since cross-domain execution is dependent on whether the file is well-formed according to the Javascript language, and since the Javascript language is changing over time, we’ve got a real problem.

This is related to the argument I was making a few days ago about the unwitting servers. It needs to be pretty darn clear when a web server is enabling cross-domain requests. We can’t expect all web app owners to keep track of the changes in the Javascript language and make sure they’re not accidentally outputting a valid Javascript program. We need a more reliable method for allowing/disallowing cross-site access, e.g. explicit HTTP headers that enable cross-domain access in very specific cases, such as MIME type or Access-Control.

The MIME type restriction should begin ASAP: the browser will execute a third-party script only if it is delivered with the right Javascript MIME-type. Since the major uses of cross-site Javascript execution, statistics tracking and such, are run by big knowledgeable web site owners, e.g. Google, such a restriction should be easy to enforce as long as it’s announced a few months ahead of time. Deliver all your Javascript with the right MIME type. Any data delivered with a different MIME type, even if it looks like Javascript, will not be executed. (I believe this idea is Doug Crockford’s, who proposed it for JSONRequest.)

2 thoughts on “Time to Rethink the Cross-Domain Javascript situation

  1. Solve XMLHttpRequest cross browser issue using Google gadget

    I have found one solution for cross-domain problem.

    I have a youtube player which gets RSS feed from youtube.com. But I have hosted the page at googlepages.com.
    Earlier I had web proxy which got data from youtube which was then converted into JSON and then fed to the javascript in webpages on googlepages.

    Well now I converted my javascript to Google Gadget, this will give your webpage an access to Google’s javascript library, this library will fetch any site via web proxy. In summary if you use Google gadget code you can circumvent the cross domain problem.

    Check this link –

    http://padmanijain.googlepages.com/newmyexperiment.html

  2. Solve XMLHttpRequest cross browser issue using Google gadget

    I have found one solution for cross-domain problem.

    I have a youtube player which gets RSS feed from youtube.com. But I have hosted the page at googlepages.com.
    Earlier I had web proxy which got data from youtube which was then converted into JSON and then fed to the javascript in webpages on googlepages.

    Well now I converted my javascript to Google Gadget, this will give your webpage an access to Google’s javascript library, this library will fetch any site via web proxy. In summary if you use Google gadget code you can circumvent the cross domain problem.

    Check this link –

    http://padmanijain.googlepages.com/newmyexperiment.html

Comments are closed.