开发者

How does Google Friend Connect accomplish cross domain communication without needing to upload a file to the client domain?

问答 作者:

Previously, Google's Friend Connect required users to upload 开发者_运维知识库a couple of files to their websites to enable cross domain communication and Facebook Connect still requires you to upload a single file to enabled it.

Now, Friend Connect doesn't require any file upload... I was wondering how they were able to accomplish this.

Reference: http://www.techcrunch.com/2009/10/02/easy-does-it-google-friend-connect-one-ups-facebook-connects-install-wizard/

There are multiple methods of communicating between documents on different domains, amongst these HTML5 postMessage, NIX, FIM(hash/fragment), frameElement and by using the window.name property.

These are available on different browsers and in different versions, but collectively they allow you to do reliable XDM (cross domain messaging).

One project that have done this earlier is Apache Shindig, which probably pioneered quite a few of these, and more recently, the project easyXDM has come, unifying all of these approaches with a common API, making it easy to create complex applications using XDM and RPC.

You can read in depth about the various methods of transporting the data in this article at Script Junkie.

Now, to answer your question directly, earlier on it was quite common to believe that there was only postMessage, the FIM (Fragment Identifier Messaging) available, and for the latter to work efficiently, one often had to upload a special file to your domain. As more methods have been discovered, this has by many been deprecated as a technique, and hence; no more need for the file.

Just for the record; I'm the author of both the Script Junkie article, and the easyXDM library (that is what Twitter, Disqus and quite a few more are using by the way).

<edit>It's difficult to remember/verify now, but I believe my answer here was probably incorrect. Sean Kinsey's answer above should be the definitive answer to this question. If you're reading this, please upvote his answer and ignore mine.</edit>

The Google Friend Connect widget works like most ads/gadgets do, using a copy/pasted snippet of HTML to reference a JavaScript include on the host's server which then creates an iframe containing the desired content. By opening the iframe with your site ID in the URL, Google's server is able to generate the appropriate HTML document to represent a Friend Connect gadget for your particular site/settings.

There isn't any cross-site communication happening beyond that initial step of creating an iframe with the appropriate URL target. Everything inside the gadget's dynamically generated iframe is more like the user visited a separate page on Google's server, but what would have been displayed is then embedded/isolated in a block on your page instead.

I'm not sure how it works in this particular instance but cross-domain messaging can be accomplished either by the postMessage() API or by changing the hash part of the URL and monitoring that.

The hash change method works because both the enclosing and the enclosed pages have access to the enclosed page's URL.

Of course, hopefully the postMessage() API call becomes more standard over time.

JSON allows cross-domain javascript.

  • Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.
  • Script and JSONP requests are not subject to the same origin policy restrictions.

There is no other method than using the somewindow.postMessage(); for communication between cross-domain iframes.

Before somewindow.postMessage() you had to upload file in order to ensure that you can establish communication between iframes.

example:

     <html>
<!-- this is main domain www.example.com -->
        <head>
        </head>
        <body>
      <iframe src="http://www.exampleotherdomain.com/">
      <script>
      function sendMsg(a) {

       var f = document.createElement('iframe'),
           k = document.getElementById('ifr');

           f.setAttribute('src', 'http://www.example.com/xdreciver.html#myValueisSent');
           k.appendChild(f);
           k.removeChild(f);
      }
      </script>


      <div id="ifr"></div>
      </iframe>
        </body>
        </html>

now the http://www.example.com/xdreciver.html html content :

     <html>
<!-- this is http://www.example.com/xdreciver.html -->
        <head>
      <script>
      function getMsg() {

             return window.location.hash;
      }
      </script>
        </head>
        <body onload="var msg = getMsg(); alert(msg);">



        </body>
        </html>

As for using the .postMessage(); its enough to use top.postMessage('my message to other domain document, which is also the main document', 'http://www.theotherdomain.com');

继续阅读:cross-domainjavascriptxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9