3

I'm displaying an external JavaScript file using jQuery. Is the reason "same origin policy" is not being broken because it is not an AJAX request?

http://jsfiddle.net/m7q3H/52/

Fiddle code :

HTML 

<body>
  <div id="toupdate">
     <script type="text/javascript" charset="utf-8" src="http://static.polldaddy.com/p/6343621.js"></script>
  </div>      
</body>​

jQuery

$(document).ready(function() {
   console.log('HTML is '+$('#toupdate').html());
});​
thecodeparadox
  • 86,271
  • 21
  • 138
  • 164
blue-sky
  • 51,962
  • 152
  • 427
  • 752
  • 2
    This is the very reason JSON-P works and exists at all. This is the circumvention that the model uses. – TheZ Aug 16 '12 at 16:51

3 Answers3

5

Oh absolutely no problem here. You could reference javascript files from wherever you want. For example Google CDN provides common js files such as jQuery that you could use:

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js"></script>

By the way that's exactly how jQuery's implementation of JSONP works. It uses javascript to inject a <script> tag dynamically to the DOM pointing to some remote server side script:

<script src="//remotedomain.com/script?callback=abc"></script>

this remote script responds with a Content-Type: 'application/x-javascript' response header and the following body:

abc({"foo":"bar"})

and on your domain you simply define the abc function:

<script type="text/javascript">
    function abc(data) {
        alert(data.foo);
    }
</script>

and there you go: a simulation of a cross domain AJAX (I say simulation because it is not using the native XHR object but it achieves the same effect).

Now you can understand why jQuery's JSONP implementation is limited to GET requests only => because when you inject a script tag, the browser sends only a GET request to its src attribute.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • does this mean, its limited to json only. Returning files of other type such as .js is not allowed ? – blue-sky Aug 16 '12 at 17:00
  • No, the ` – Darin Dimitrov Aug 16 '12 at 17:02
  • but the response body contains json, it cannot be of any other type ? – blue-sky Aug 16 '12 at 17:12
  • Are you talking about my example with `abc({"foo":"bar"})` or your script that returns simple JSON: `{"foo":"bar"}`? If you return invalid javascript such as `{"foo":"bar"}` you will obviously end up with a javascript error when the browser tries to execute it. – Darin Dimitrov Aug 16 '12 at 17:14
  • ok, I think I need to read up on json-p. I was just wondering if it was possible to return something other than json, which I don;t think it is, as the name json-p implies, thanks for detailed answer – blue-sky Aug 16 '12 at 17:26
  • 1
    @user470184 While it is not allowed directly, it is not impossible to send javascript with variables containing stringified versions of, for example, html or xml and then decode it. – TheZ Aug 16 '12 at 19:15
4

Yes. You can load scripts from other domains using script tags but you can't use the XmlHTTPRequest object (AJAX Requests) to make cross domain requests.

marteljn
  • 6,446
  • 3
  • 30
  • 43
0

As long as your external .js is loaded with

<script>

tag the same origin policy considers it to be secure js that you trust.

luigi7up
  • 5,779
  • 2
  • 48
  • 58