if in the website there's an external js file added as
<script src=".js"></script>
within the .js js file, there's an ajax call to a script in .js
in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?
if in the website http://www.mysite. there's an external js file added as
<script src="http://www.yoursite./new.js"></script>
within the http://www.yoursite./new.js js file, there's an ajax call to a script in http://www.yoursite./new.js
in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?
Share asked Sep 6, 2010 at 10:19 AnishAnish 1,1644 gold badges15 silver badges28 bronze badges2 Answers
Reset to default 6There will be a problem. new.js run in the scope of mysite., not yoursite..
EDIT: a more detailed explanation would be: when mysite. is openning a tag, that script runs in the scope of the current page. The source of the script does not matter: it can be inline, local source, or remote source, it is still considered part of mysite.
As you know, scripts in mysite. cannot access anything on yoursite. due to the same origin policy. So you cannot do this.
As an advanced option for cross-origin munication look at jsonp. It will require yoursite. to provide a special handling, but if you have control on both sites then this should not be a problem.
JSONP is precisely what you're looking for: http://en.wikipedia/wiki/JSON
The 5,000m overview is that JSONP uses the same mechanism for requesting external scripts as you're using above. The difference is that your server will recognise this and will package up the JSON response as the argument to a callback method. When your site receives this 'script', it executes it thereby returning the data directly into your callback method.
If you are able to use a framework like jQuery, most of the client side would be transparently handled for you. Check it out here: http://api.jquery./jQuery.getJSON/