Cross Site Scripting – the new old way
October 20th, 2009Cross Site Scripting (XSS) is a big security no-no. It’s never supposed to happen, because as we all know, any script operating within your page has full access to the entire DOM of the page.
Then again, there is so much functionality that we want to implement without reinventing the wheel. Marketing departments want to use third-party tracking tools. The IT folks want to distribute the load for our network heavy site across the third-level domains www.domain.com, static.domain.com and data.domain.com. And users want more functionality than we can hope to provide on our own.
So resigned to the reality that XSS is a legitimate necessity, we need a way to do it. The old way (as far back as the mid-90’s, in fact) was straightforward:
document.write(‘<script language=”JavaScript” type=”text/javascript” src=”http://data.domain.com/myscript.js”></script>’);
This is of course problematic as it treats DOM nodes improperly and may not even get processed by modern browsers. Instead, jQuery provides access to JSONP which will do the same thing – insert a new script node in the DOM – but do it in an XHTML compliant way.
Accessing JSONP is pretty straightforward:
$.getJSON("http://data.domain.com/myscript&callback=?”, inPageFunction);
The key bit is &callback=? – this causes jQuery to insert a script node into the DOM, which is then immediately executed and returned to the callback function, inPageFunction, like so:
inPageFunction({data:"foo";})
If you forget &callback=? you’ll get the error Access to restricted URI denied. And yes, since we’re inserting a script node, we’re limited to GET requests. And if the call fails, you’ll simply get nothing back – no useful error messages.
Further, the next generation of browsers is coming out with integrated support for cross site XMLHttpRequest, but since when have we not had to code to support multiple versions of browsers?
There are loads of good guides to expand your knowledge:
- What the heck is JSONP and why should you use it?
- JSONP, Quickly
- Cross-domain communications with JSONP, Part 1
- Cross-domain communications with JSONP, Part 2


Previous Post
Next Post

10 Comments
November 18th, 2009 at 1:32 pm
A kind of intereating topic
December 27th, 2009 at 5:43 am
When some students buy essays and buy custom writing about this post, it can be possible to get really good quality.
December 27th, 2009 at 8:35 am
Very often that occurs that you do not have time to write your dissertation idea close to this good post. Some students do a big problem of it, just because they do not get know about thesis service, but I can show you knowledge about the pfroper ways to find the professional dissertation service and the way to buy dissertation online not very expensive.
January 4th, 2010 at 6:25 pm
I think that the students must know about this post and essay writing. At the term paper writing services it’s really easy to buy pre-finished essays and custom essay about this good topic.
January 8th, 2010 at 12:29 am
Thanks for sharing this information. I got a chance to know about this.
January 10th, 2010 at 12:17 am
Cross Site Scripting is a old method but it is more useful Old is Gold Using the script is well told in youtube video.thanks
January 23rd, 2010 at 4:50 am
There’re the quantities buy dissertation or thesis writing service but your best knowledge connecting with this good post. Moreover, to know more you should purchase the free dissertation.
July 15th, 2010 at 4:19 am
Though we would all like to be able to do website designing for own website, we all aren’t able to, whether we just don’t understand the various elements or we just don’t have the time or don’t have the required expertise; the use of a top website design company is a must have. Just any website design company will not do; there are various things that can make a web design company a best web design company who will provide the exact services you need to meet the exact specifications you provide and request.
July 21st, 2010 at 7:03 am
If you want to buy real estate, you will have to receive the loan. Moreover, my father usually utilizes a financial loan, which occurs to be the most firm.
August 22nd, 2010 at 3:33 am
Hey – nice blog, just looking around some blogs, seems a pretty nice platform you are using. I’m currently using Wordpress for a few of my sites but looking to change one of them over to a platform similar to yours as a trial run. Anything in particular you would recommend about it?
Leave a Reply