tags:

views:

589

answers:

3
Q: 

Lets solve cross-domain ajax, totally on the client, using script tags.

I know, there's JSONP, which involves server cooperation to name-space the data.

What is bothering me is the fact that the content of script tag src is evaluated, but it's NOT available to read.

<script src="http://www.google.com"&gt;&lt;/script&gt;

All we need to figure out is how to namespace the data, that's all. Of course I tried pretty idiotic things with no relevant result (I know this doesn't work, but you can see what I'm trying to achieve):

<script>eval('var namespace="');</script>
<script src="http://www.google.com"&gt;&lt;/script&gt;
<script>eval('";');</script>

Since there's really no relevant info on how the src content is evaluated, I know it's global scope, but if we could trace evaluation steps or maybe chain evals scope somehow (not much documentation about this as well), we could solve this annoying "evaluated but not readable" thing.

Any ideas?

+1  A: 

I'm not sure this is at all possible due to browser security policies.

Yuval A  2009-02-15 18:39:35
A: 

I'm inclined to say leave it. These kind of issues will be solved, but not by hacking around what we already have. The web is fundamentally broken in that regard. The fact that any script from one domain can be executed on another is a severe security vulnerability that will hamper the growth of the web if left unchecked.

http://www.slideshare.net/webdirections/douglas-crockford-ajax-security-presentation

Andy Hume  2009-02-15 18:40:55
+1  A: 

HTML5 provides window.postMessage which provides a mechanism for safe cross domain messaging, and is supported by Firefox 3, Opera 9.6, and WebKit nightlies.

That said your suggestion above cannot work because it requires fundamentally different behaviour from javascript's eval. eval parses and executes the given string in the current context -- what you're requesting is that eval change the actual code of the containing function. eg.

 for (var i = 0; i < 10; i++) eval("; doSomething();");

would become 

 for (var i = 0; i < 10; i++) ; doSomething();;

meaning the for-loop becomes empty, and doSomething would only be called once. Clearly this would result in incredibly difficult to comprehend semantics, as well as making it substantially less safe to use, as eval would gain the ability to directly influence control flow.

olliej  2009-02-16 04:41:05

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript