0

I have built a content locker widget for members of my website. A content locker forces a visitor to complete a survey before it redirects them.

Basically, I need to have Javascript make an Ajax request to my domain and redirect the user if the survey is finished. Let's just say a PHP script will echo '1' for complete and '0' for incomplete.

This would be trivial normally, but users place the javascript code on THEIR websites, not mine. So I am worried about running into Cross-Scripting flags.

So how do Content lockers do this? I know this is possible because companies like Adscend Media have one.

Also, after designing their widget on my website, they put a code on their website with something like this:

<script type="text/javascript" src="http://mywebsite.com/js/w.php?i=6PS0D9"></script>

This goes in the head tag. Does including this script somehow make Cross-Scripting to my domain available since the script itself is on my domain?

Thanks for any help.

kmoney12
  • 4,413
  • 5
  • 37
  • 59

1 Answers1

1

The basic issue you're concerned about is the "same origin policy", which is a policy followed by all major browsers to prevent web sites from making AJAX requests to other domains.

However, the same-origin policy does not limit scripts brought in by <script> tags, which is why content lockers are able to serve any script files they want without issue. Incidentally, this is also how the "JSONP" workaround for the same-origin policy works.

If you want to allow your customers to make cross-domain requests to your website, you can add their domain name to a special "crossdomain.xml" file on your site, and (current) browsers will allow those requests to work (I forget the name/path of the file, but it should be easy to look-up if you're interested see here for more info: https://support.ookla.com/entries/21097566-what-is-crossdomain-xml-and-why-do-i-need-it).

Alternatively your customers could setup a proxy to your server on their's (probably not something they want to do). Or, you could just use JSONP, which is basically where:

  1. Your user runs JS that adds a script tag to the page; that script tag's url is something like 'yoursite.com/shouldILetThisGuyIn/'.
  2. Your server sends them back a JS file with something like var letThisGuyIn = true; function foo() { return letThisGuyIn }
  3. Your user runs 'foo()', and gets the result, determining whether to let that guy in or not.
machineghost
  • 33,529
  • 30
  • 159
  • 234
  • So if I make w.php (the javascript file they load onto their websites) have AJAX requests to my domain, there won't be any problem? – kmoney12 Dec 03 '12 at 21:29
  • No ... I think. I *believe* in that case the browser would still consider the "origin" domain to be their domain, not your's. However, if you bring in the "should let the guy in" info as a javascript file with a function that returns the answer (as I describe in the edited answer above) that would work (and would be "JSONP"). – machineghost Dec 03 '12 at 21:31
  • Or you can just update the allowed cross-domain requests file on your server to have all of your customer's domains. That would let you make normal AJAX requests, and might be easiest (if you know all your customer's domains). – machineghost Dec 03 '12 at 21:32
  • I haven't ever worked with JSONP....basically, what you are saying is I can make the server return a javascript function that would be run? – kmoney12 Dec 03 '12 at 21:35
  • How would I make multiple requests tho? I need the locker to check every 10 seconds for survey completion. Would I keep appending more – kmoney12 Dec 03 '12 at 21:35
  • Exactly. Their server asks for a URL on your server, and includes whatever parameters, just like a normal AJAX request. But instead of doing `$.ajax` you add a script tag to the page (every time you want to check), and then invoke a function (with a name you agreed to ahead of time) to get the result of the "call". – machineghost Dec 03 '12 at 21:36
  • But again, if you know all your customers' domains, editing crossdomain.xml is probably your best bet. – machineghost Dec 03 '12 at 21:37
  • It seems like their must be a simpler way. I have a couple thousand members, so the crossdomain.xml with each domain probably wouldn't work, I will just be accepting all requests. Most of my users aren't tech savy so I don't want them to have to do anything besides add the original – kmoney12 Dec 03 '12 at 21:41
  • Welcome to the same-origin policy, the bane of JS devs everywhere ;-) Like it or not, there's really only three solutions to it: 1) JSONP, 2) crossdomain.xml, 3) setup a proxy. If you want to make your customers lives easier you DO NOT want to ask them to do 3, so that leads to either them doing a little work (JSONP), which you can still wrap up in to copy/paste code for them, or you doing a little work (crossdomain.xml). Scour Stack Overflow, I promise those are your options (well, or you could get every user of every customer you have to change a browser setting ... good luck with that). – machineghost Dec 03 '12 at 21:44
  • How does crossdomain.xml work? I'm not sure I understand that. Would I put that on my website or theirs? – kmoney12 Dec 03 '12 at 21:46
  • Check the link I provided in the answer, or this SO question: http://stackoverflow.com/questions/213251/can-someone-post-a-well-formed-crossdomain-xml-sample (but the short answer to your question is that it goes on your website) – machineghost Dec 03 '12 at 22:06