XSS
Recently I ran into some XSS (Cross Site Scripting) restrictions:
Security Error: Content at http://foo/bar may not load data from http://bar/foo
Error: uncaught exception: [Exception... "Access to restricted URI
denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)"
location: "http://bar/foo Line: 47"]
Javascript on host B was running from host A and doing an XHTTPRequest request to host B. So what to do? Well I found this article on using JSON to do cross domain scripting (and here is even more background) but it didn’t seem like the best solution since it wasn’t clear how cross browser compatible the solution was.
Then I realized that I could just have one Javascript embed and no remote code if I generate the Javascript on the fly using PHP (conceptually this is very similar to the JSON call). Doing
<script type="text/javascript" src="http://foo/bar.php"></script>
is totally valid. Embedded JS doesn’t have to have .js extension. XSS problem solved and cross browser compatibility retained.
