tags:

views:

51

answers:

3
+2  Q: 

Best practices for providing dynamic content 'drop in' widgets for third party websites?

I am wondering what best practices are for providing dynamic content in lightweight, 'drop in' widget style that can be used by third party content editors.

To elaborate, we would like to give third parties the ability to show dynamic content from us on their website without a back end system integration where they would have to call one of our APIs server side - ideally it would be possible for their content editors simply to include a provided snippit in their HTML. A concrete example would be a bestseller list that changes every few hours.

Using an IFRAME is one obvious way of accomplishing this, but I'm curious if there are others that allow tighter integration into their source and more flexible styling and are 'expected best practice' for such an offering as it isn't a field I know well - JavaScript/JSON perhaps?

+2  A: 

I'd call an iframe best practice since it does not grant the framed content any excess rights, but having a JavaScript file that other sites can include seems pretty common as well, so you could probably get a lot of site owners to accept that. Still, the iframe is preferable, you shouldn't use JavaScript unless it really makes a difference.

You can easily make the to-be-iframed page configurable through parameters in the link, so site owners can set things like background and font to match their own site.

eBusiness  2010-10-19 02:12:10
A: 

Be aware that you're opening a potential security Pandora's box. Take a look at the Caja project, it allows to safely embed untrusted JavaScript content.

Adam Byrtek  2010-10-19 02:16:53
AFAIK, not if the site trusts us? I don't see the risk to us - if there is one please elaborate
Pete  2010-10-19 23:54:23
+1  A: 

Alternative to iFrames: JSONP

JSONP is used by Javascript widget libraries to pull in data from the widget library's server since JSONP gets around the same-origin issues.

This enables your JS widget library to provide data and UI services to the hosting page without any changes to the hosting page's server.

It's clean, neat, and avoids various iframe issues.

As mentioned in other answers, anyone including your JS in their pages is trusting that your JS is not a security/privacy issue. But that's not a problem depending on your relationship with the folks who'd include your library.

Larry K  2010-10-19 02:55:14
Thank you that looks good - do any browsers or common security settings try and block JSONP style <script> sources or tags?
Pete  2010-10-19 23:59:23
Nothing blocks JSONP since it is implemented by adding a script el to the dom dynamically, and all the browsers support that. Also, there is JSONP support from YUI, JQuery and other libraries.
Larry K  2010-10-20 02:34:37
Note that the security issue is exactly the same as with JavaScript, the page has no way of blocking JavaScript in the JSON file.
eBusiness  2010-10-20 08:08:10

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?