how do widgets like "http://sharethis.com/" make what seem to be XSS calls

Question

How is it that tools like this one can make an ajax style call back to a central site? basically they give you a " tag to put on your site where ever it is. So in this widget you have the ability to ask for an email to be sent to you for the page you're currently on. I assume this makes an ajax style call back to share this who sends out the email. But how can they do this with out a proxy on your server and without the browser blocking it as an XSS exploit?

Any answers on this would be greatly appreciated thank you for your help. I assume working with the Flickr API would present the same challenges?

Link from the title : http://sharethis.com/

Answer 1

They give you a script to include in your site. This script has full access to the DOM and your cookies. In order for it to call back to their site, they use a technique called JSONP. The script that you included, adds another script with parameters in the querystring. The server then returns JSON (which is just JavaScript), and the data is extracted.

If you are building mashups, you have to trust that these widgets aren't going to do something malicious like steal your cookies. There will be better support for safe XSS in IE 8.

Answer 2

The answer is that browsers, by some reason, only block XmlHttpRequests to servers other than the originating one. You are free to use <SCRIPT>-tags that has SRC pointing to wherever, and such script tags can of course be dynamically inserted into your DOM.

Answer 3

You don't even need to use JSON for this.

You can retrieve javascript code from any domain using a script tag, so a lot of these widgets just create a script node, and the response is formatted like:

someFunction("Callback Data");

someFunction is already an existing function in the original widget source, and dumps the data into your DOM.