5

I know the solutions for cross browser domain calls. Either use JSONP, do a proxy call, or accept domains on server. I found 1 more strange way today at my company.

Method:

They are changing the host to match the host of second server by using this -

window.location.host = "xyz.com"; or document.domain = "xyz.com";

Then they are creating a hidden iframe and getting contents in iframe and replacing contents to visible element.

Problem:

It works with iframe but if I do ajax call, it doesn't work. Any words on this?

Improve this question
3
  • This sounds like a bug or an exploit. Which browsers did you test this in? Commented Jan 31, 2012 at 20:23
  • It works in IE, Chrome. I didn't test in firefox Commented Jan 31, 2012 at 20:24
  • 3
    I'm not sure about window.location.host, but changing document.domain does allow two different subdomains on the same parent domain to communicate. developer.mozilla.org/en/Same_origin_policy_for_JavaScript Commented Feb 8, 2012 at 2:07

1 Answer 1

Reset to default
3

i'm not a fan of jsonp, it creates coupling between data and presentation, and so i researched this issue before, and well, there's a trick that you can use, follow this:

let's say we have the main window named A and the "child" window in the iframe named B. A and B must be served from the same host, but can have different subdomains, something like:

A is served from sub1.example.com

B is served from sub2.example.com

browsers will let you change the domain of the document, but still restrict you on that, so you can only change the domain by removing subdomains until you reach the host, and so in A you change the domain, like so:

document.domain = "example.com";

in B you first make an ajax call to its domain (sub2.example.com), then after the first request was sent you change the domain just like in A, so that both documents have the same domain. since you made a request to the original domain in B the browser will allow you to keep sending requests to it, but since you also changed its domain, and now A and B have the same domain they can communicate with each other.

it's important that you first make at least one request in B to its original domain, before you change the domain. also, it won't work if both pages are not served from the same host, so in most cases it does not solve the problem, but it does allow you a bit more room to maneuver.

i used this trick more than once and haven't came across any problems, as far as i'm aware, it works in all browsers, let me know if it doesn't in some cases.

here's a pseudo example:

in A ================== document.domain = "example.com"; var child; // keep reference to B function setChild(win) { childDocument = win; } function handleMessage(message) { do what ever it is you need to } in B ================== make ajax request document.domain = "example.com"; parent.setChild(this); function ajaxCallback(message) { parent.handleMessage(message); }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I will try that as well. But I tried ajax by just changing domain and it didn't work for me earlier. But I will give a try this way. Iframe works fine in case of sub domain calls. You can find solution here : github.com/emphaticsunshine/Cross-sub-domain-solution
you have to first make an ajax call and only then can you change the domain, otherwise, since you changed the domain before making an ajax request, the requests will fail due to the security policy. if i understand your solution, then it's exactly like jsonp, with the limitation that the iframe sources can only be served from the same host.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.