Can I grant explicit Javascript methods to a different-host iframe?

I'm thinking about a system in which I allow users to create Javascript-empowered widgets for other users to embed in their dashboard on my website. I'd like to limit these widgets fairly strictly, so each would exist as an iframe kept on its own unique hostname: the widget with ID #47 would be accessible at w47.widgets.example.com, for example.

It would be helpful, for permission-granting dialogs and the like, to allow the widget to call very specific methods explicitly granted by the parent 开发者_JAVA百科window, without authorizing the iframe to do whatever it likes with the parent frame on the user's behalf.

Is it possible for a parent document to explicitly allow certain method calls to a child document on a different host?

You could create your own protocol with postMessage and receiveMessage to let exactly what you want through. This may not work for you if you have a large variety of browsers to support, though. Older browsers (IE 7 and below, for example) require a workaround to do this technique that's kind of nasty.