views:

54

answers:

1

I'm thinking about a system in which I allow users to create Javascript-empowered widgets for other users to embed in their dashboard on my website. I'd like to limit these widgets fairly strictly, so each would exist as an iframe kept on its own unique hostname: the widget with ID #47 would be accessible at w47.widgets.example.com, for example.

It would be helpful, for permission-granting dialogs and the like, to allow the widget to call very specific methods explicitly granted by the parent window, without authorizing the iframe to do whatever it likes with the parent frame on the user's behalf.

Is it possible for a parent document to explicitly allow certain method calls to a child document on a different host?

+1  A: 

You could create your own protocol with postMessage and receiveMessage to let exactly what you want through. This may not work for you if you have a large variety of browsers to support, though. Older browsers (IE 7 and below, for example) require a workaround to do this technique that's kind of nasty.

x1a4
Ooh, that's fancy! And I found [a jQuery plugin](http://benalman.com/projects/jquery-postmessage-plugin/) that seems to implement the cross-browser workarounds for me. Thanks!
Matchu
That plugin works great, just make sure the urls match up. I spent the better part of 2 days making all of that work in every browser, even with the plugin, due to needing to match up the url on both server and client side - I needed to set up a 2 way communication channel, so it got kind of dicey. Definitely possible, though.
x1a4