Cross-site javascript problem

Question

Hi, I'm developing a JavaScript API service. Main html page looks like this:

<html>
<head>
  <script type="text/javascript" src="scripts/logic.js"></script>
  <script type="text/javascript" src="scripts/jquery-1..."></script>
  <script type="text/javascript" src="http://mydomain/api/main.js"&gt;&lt;/script&gt;
</head>
...
</html>

In the main.js script I load another script from mydomain. I'm doing it by adding script tag ([script.. src="http://mydomain/api/getsomedata.js?callback_id=3434&someparams=..."]). Loaded script imediatly calls API callback function: MyApi.processCallback(...). Everything works ok.

But when I'm trying to load another mydomain script from local file (logic.js), I recive very strange situation: all script global objects are undefined. There is no MyApi object or jQuery $ object which were visible during previous call. So I can't call MyApi callback function.

Perhaps it is because of security restrictions. Anti-XSS, or something similar. I tried to add a X-XSS-Protection header, like in all Google JavaScript APIs. But it did not help.

I don't use IFRAMES.

The problem can be solved exactly, since many cross-site JavaScript API's are working (Google Maps API, etc.) on the same idea.

Answer 1

What is happening in your script?

If you are doing Ajax calls back to the domain, your script will fail with a Same Origin security error. If you need to do communication with your server from another domain, than you need to use JSONP to do it. If you are working with only modern day browser you can get away with CORS.