0

as far as i know there are cross domain restictions that wont allow you to get content from an external url and in order to overcome this , we use server side scripts.

Im wondering how facebook/google overcomes these restrictions and with a javascript code manage to generate their like box with a simple code like this :

<div id="fb-root"></div>
<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=254277301328504";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>

the reason im asking that is because im building a virtual chat bot and want the users to just use a simple javascript to generate the bot in their site(on external domain without them having to use a serverside scripting)

Thanks

lior r
  • 2,220
  • 7
  • 43
  • 80

1 Answers1

0

as far as i know there are cross domain restictions that wont allow you to get content from an external url

Not via a “normal” XMLHttpRequest. But that does not mean that external resources can’t be loaded at all. JSONP would be one example of how it can work.

Im wondering how facebook/google overcomes these restrictions

They create an iframe element inside of your page, and load a document from their own domain into it. And so they have no problem whatsoever communicating with their own domain from the page inside that iframe – because that communication is not cross-domain at all.

CBroe
  • 91,630
  • 14
  • 92
  • 150
  • so what you are saying is that the call to //connect.facebook.net/en_US/all.js generates the iframe ? – lior r Jun 25 '12 at 10:07
  • well i have done that and it works :-) but now im facing another problem ... im calling to a javscript generated by php and i want to know the original HTTP_HOST - how can i do that ? – lior r Jun 25 '12 at 11:06
  • What HTTP_HOST – what is “original”? – CBroe Jun 25 '12 at 11:39
  • $_SERVER['HTTP_HOST'] say that we have 1.php that have the script above ... the script generates an iframe with 2.php as src. now in 2.php i want to get the HTTP_HOST of 1.php ... sorry for the mess – lior r Jun 25 '12 at 12:24
  • And 1.php and 2.php are from different domains? Well, then just append that value as a GET parameter to the address of the iframe, then 2.php can read it from there. – CBroe Jun 25 '12 at 13:00
  • i don't want users (hackers) to know it is an essential value for getting the iframe content, is there another way ? – lior r Jun 25 '12 at 17:50
  • Can’t really see a security risk there (if there is one, then you should think hard about your application design … and where you went wrong with it) … but of course you could encrypt the value with a secret that’s only known server-side, if that’ll make you feel better … – CBroe Jun 26 '12 at 07:10
  • yeah that's a good idea , i have several security measures , the content is delicate so i want to be as safe as possible) and you can never be too safe :-) – lior r Jun 26 '12 at 13:08