Comments on: alternative to XMLHttpRequest

Question: alternative to XMLHttpRequest

Dag Maggot — Sun, 12 Mar 2006 17:47:44 -0800

Is there an alternative to XMLHttpRequest that would work across different domains?

I'm working on an "external voting button" similar the one on Digg, that submits to the server without actually having to leave the page. I want to run it so that external sites can use it to submit back to the mother server. The problem I've run into is the security restriction with XMLHttpRequest, in that it will only submit back to the domain name that the current page is actually hosted by. Is there a way around this?

I found this but I'm not sure exactly what he's doing, or what "dynamic script tags" are.

By: jaded

jaded — Sun, 12 Mar 2006 17:50:16 -0800

While my knowledge of javascript and things ajaxy is somewhat limited, I'm pretty sure not.

BUT - this sort of thing is fairly trivial using a server side language like PHP. If your XMLHttpRequest calls a php script that fetches data from somewhere else, that should work.

By: Rhomboid

Rhomboid — Sun, 12 Mar 2006 18:07:10 -0800

Your link is malformed, it looks like you meant to link to here.

Can you create a hidden IFRAME and load the external URL there?

By: Dag Maggot

Dag Maggot — Sun, 12 Mar 2006 18:09:59 -0800

yes, thanks for the link fix. Doesn't an Iframe like that have the same problem? Has to be from the same domain or a pop-up ensures?

By: delmoi

delmoi — Sun, 12 Mar 2006 18:15:58 -0800

Yeah, simplest thing is just to load the URL inside your PHP script on the server.

By: Dag Maggot

Dag Maggot — Sun, 12 Mar 2006 18:39:10 -0800

Well see, the problem I'm having, is that I need to avoid a server side solution, because I want to give users the ability to drop a small javascript into their blog and have it just work, just like Technorati, or a google adword.

That's where the cross domain security lockdown of XMLHttpRequest stumps me.

By: IshmaelGraves

IshmaelGraves — Sun, 12 Mar 2006 18:57:11 -0800

Could you have the link/button/whatever itself in an IFRAME, which loaded a page on your server to display the button? Such that the XMLHttpRequest was made from within the IFRAME and thus to the same server? I don't know whether this would work.

By: Rhomboid

Rhomboid — Sun, 12 Mar 2006 18:57:23 -0800

I could be wrong but I don't think you'll run into cross-domain problems with an IFRAME. Certainly, if you load a page from an unrelated domain in a frame it should not have access to the cookies, DOM, and so on of the parent, so you can't interact between the two. But it seems to me that the point here is just to "hit" a URL, not to necessarily do anything with the results, and in that sense an IFRAME should work fine. If they didn't allow this then I think a whole lot of advertising would break, since those seem to be on radically different domains.

By: Dag Maggot

Dag Maggot — Sun, 12 Mar 2006 19:01:25 -0800

OK, thanks, I will give that a try, I thought that iFrames were restrictive in this way, but I'll have a play.

By: null terminated

null terminated — Sun, 12 Mar 2006 19:01:54 -0800

You can include javascript remotely.

By: SNACKeR

SNACKeR — Sun, 12 Mar 2006 19:20:59 -0800

You shouldn't need an IFRAME, just set the src on a hidden IMG tag to your url, with the data as querystring params.

By: Dag Maggot

Dag Maggot — Sun, 12 Mar 2006 19:45:10 -0800

Good idea Snacker, but I want this to be a button, and not to send the variables until clicked (not on page load).

By: mmascolino

mmascolino — Sun, 12 Mar 2006 20:08:30 -0800

what if you host the javascript file on your mothership server, and have them reference that file to be included into their pages. This is much like how including Google Adsense into a website works. I am not 100% sure that this gets around cross domain security issues, but it might be something worthwhile to try.

By: IshmaelGraves

IshmaelGraves — Sun, 12 Mar 2006 20:14:40 -0800

Building on Snacker's idea, if you're not concerned with getting a response from the server, could you try a button with an onClick method which replaces its SRC attribute with one that contains the relevant URL parameters?

By: nielm

nielm — Mon, 13 Mar 2006 02:49:00 -0800

Simple solution -- If you only need a success/fail response, load an image from the voting server with JS:
In the onClick method, create a new Image, and load the, where the URL of the image is the php voting script on the other server -- and get this script to return a dummy 1x1 image.

eg:
voteurl="http://voting.server.site/path/to/voting_script.php?vote=voting_args"; /* Disable voting button here, and set it to a 'submitting' image to avoid mutliple clicks */ CmdImage=new Image(); CmdImage.onload=new Function('Some_js_to_modify_voting_button_to_indicate_successful_voting'); CmdImage.onerror=new Function('window.location="'+voteurl+'";'); /* load the image / submit the vote */ CmdImage.src=voteurl+"&returnImage=true";

The onerror action is to handle failures: resubmit the same vote, but this time load the entire page so that any errors can be displayed.

Also make sure that the voting script sets all the appropriate expires/nocache headers so that the returned image does not get cached.

By: nielm

nielm — Mon, 13 Mar 2006 02:49:41 -0800

Just realised, this is like IshmaelGraves solution :)

By: nicwolff

nicwolff — Wed, 05 Apr 2006 16:52:45 -0800

Also make sure that the voting script sets all the appropriate expires/nocache headers so that the returned image does not get cached.

Or, just add a random argument to the call, like

CmdImage.src=voteurl+"&returnImage=true&rand="+Math.random();