Justin du Coeur (jducoeur) wrote,
Justin du Coeur

A Javascript Mystery

I'm relatively new to the intricacies of sophisticated cross-site pages using Javascript, and I'm a little surprised by what I'm finding. Am I understanding this correctly?

It's like this -- we are about to build some widgets for our new system. They are designed to be placed on the pages of partner sites, and communicate back to our site via our APIs. (The nature of the widgets and the APIs are still under wraps, but irrelevant for purposes of this discussion.) The widgets are, necessarily, hosted on our site.

This turns out to be a surprisingly hard problem, because of data-security issues. If the widgets are placed on the partner site inside of IFRAMEs, they basically can't communicate with the containing page because of cross-site security issues (which is bad), but they can talk to our SOAP APIs just fine. If they are instead placed on the partner site via SCRIPT includes, they can talk to the containing page just fine (because even cross-site script references are considered part of the containing page), but they can't talk to our SOAP APIs at all because of cross-site security issues (which is bad).

*But* -- in the latter case, they can still talk to our APIs if we rewrite those APIs using cross-site JSON encoding instead. That is, if we pretend that the APIs are actually *scripts*, then we can talk to them anyway. This seems to be the standard workaround for the inability to use XMLHTTPRequest on a cross-site basis, and everyone seems to be pretty casual about it.

Am I missing something, or is this completely idiotic? Any programmer worth his salt knows that data and code are essentially interchangeable with enough effort, and that if anything, code is the superset. So in what way does it make sense to prevent the data APIs from working cross-site, but allowing the script ones to do so? At first blush, it certainly appears that either (a) the ability to use SCRIPT tags cross-site is a gaping security hole, or (b) if we don't care about that, then there is no reason to be preventing XMLHTTPRequest from working cross-site, because the two are logically fungible.

I'm not hip enough to the security issues to know which is the case, but they certainly appear to be wildly inconsistent. As I find myself probably having to write a whole new API layer to JSON-ize our APIs, it's rather annoying...
Tags: programming

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded