Best practices for providing dynamic content 'drop in' widgets for third party websites?

I am wondering what best practices are for providing dynamic content in lightweight, 'drop in' widget style that can be used by third party content editors.

To elaborate, we would like to give third parties the ability to show dynamic content from us on their website without a back end system integration where they would have to call one of our APIs server side - ideally it would be possible for their content editors simply to include a provided snippit in their HTML. A concrete example would be a bestseller list that changes every few hours.

Using an IFRAME is one obvious way of accomplishing this, but I'm curious if there are others that allow tighter integration into their source and more flexible styling and are 'expected best practice' for such an offering as it isn't a field I know well - JavaScript/JSON perhaps?开发者_运维问答

I'd call an iframe best practice since it does not grant the framed content any excess rights, but having a JavaScript file that other sites can include seems pretty common as well, so you could probably get a lot of site owners to accept that. Still, the iframe is preferable, you shouldn't use JavaScript unless it really makes a difference.

You can easily make the to-be-iframed page configurable through parameters in the link, so site owners can set things like background and font to match their own site.

Alternative to iFrames: JSONP

JSONP is used by Javascript widget libraries to pull in data from the widget library's server since JSONP gets around the same-origin issues.

This enables your JS widget library to provide data and UI services to the hosting page without any changes to the hosting page's server.

It's clean, neat, and avoids various iframe issues.

As mentioned in other answers, anyone including your JS in their pages is trusting that your JS is not a security/privacy issue. But that's not a problem depending on your relationship with the folks who'd include your library.

Be aware that you're opening a potential security Pandora's box. Take a look at the Caja project, it allows to safely embed untrusted JavaScript content.