same origin policy in external js file
if in the website http://www.mysite.com
there's an external js file added as
<script src="http://www.yoursite.com/new.js"></script>
withi开发者_如何学JAVAn the http://www.yoursite.com/new.js
js file, there's an ajax call to a script in http://www.yoursite.com/new.js
in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?
There will be a problem. new.js
run in the scope of mysite.com
, not yoursite.com
.
EDIT: a more detailed explanation would be: when mysite.com is openning a tag, that script runs in the scope of the current page. The source of the script does not matter: it can be inline, local source, or remote source, it is still considered part of mysite.
As you know, scripts in mysite.com cannot access anything on yoursite.com due to the same origin policy. So you cannot do this.
As an advanced option for cross-origin communication look at jsonp. It will require yoursite.com to provide a special handling, but if you have control on both sites then this should not be a problem.
JSONP is precisely what you're looking for: http://en.wikipedia.org/wiki/JSON
The 5,000m overview is that JSONP uses the same mechanism for requesting external scripts as you're using above. The difference is that your server will recognise this and will package up the JSON response as the argument to a callback method. When your site receives this 'script', it executes it thereby returning the data directly into your callback method.
If you are able to use a framework like jQuery, most of the client side would be transparently handled for you. Check it out here: http://api.jquery.com/jQuery.getJSON/
精彩评论