AJAX Mash-up Sites?

Discussion in 'Javascript' started by VUNETdotUS, Sep 26, 2007.

  1. VUNETdotUS

    VUNETdotUS Guest

    My research I did a while ago showed there was no possibility to get
    web page content from a third-party website with AJAX only, without
    using a server side technology. Now I have to re-investigate this case
    and look for a workaround, perhaps, to allow client side to get the
    content of the external page, living on another server. In case you
    are wondering, there is no content stealing: both parties agree to
    exchange data.
    Please, advise if you know of any examples, links or suggestion as to
    how a client can request external page content.
    Thanks.
    VUNETdotUS, Sep 26, 2007
    #1
    1. Advertising

  2. On Sep 26, 4:37 pm, VUNETdotUS <> wrote:
    > My research I did a while ago showed there was no possibility to get
    > web page content from a third-party website with AJAX only, without
    > using a server side technology. Now I have to re-investigate this case
    > and look for a workaround, perhaps, to allow client side to get the
    > content of the external page, living on another server. In case you
    > are wondering, there is no content stealing: both parties agree to
    > exchange data.


    If the third party can be trusted you can have them provide the data
    as a piece of JavaScript, and pass data to them in the query string:

    <script type="text/javascript">
    function myFunction(third_party_code) {
    // etc
    }
    </script>
    <script src="http://example.com/foo/?hello=world">
    // which would contain something like:
    myFunction({ foo: 'bar', baz: [1,2,3,4] });
    </script>

    The script element that sourced the third party data could be
    dynamically generated.

    --
    David Dorward
    http://dorward.me.uk/
    http://blog.dorward.me.uk/
    David Dorward, Sep 26, 2007
    #2
    1. Advertising

  3. On Sep 26, 8:37 am, VUNETdotUS <> wrote:
    > My research I did a while ago showed there was no possibility to get
    > web page content from a third-party website with AJAX only, without
    > using a server side technology. Now I have to re-investigate this case
    > and look for a workaround, perhaps, to allow client side to get the
    > content of the external page, living on another server. In case you
    > are wondering, there is no content stealing: both parties agree to
    > exchange data.
    > Please, advise if you know of any examples, links or suggestion as to
    > how a client can request external page content.
    > Thanks.


    If your site is foo.com and the other is bar.net then you can play a
    trick...

    Set up the domain name servers so that bar.foo.com points to bar.net

    Then in your JavaScript write

    document.domain = 'foo.com';

    Now you can make Ajax requests to both foo.com and bar.foo.com. It's
    just like you can make requests to foo.com and bar.net.

    This works around the XMLHttpRequest "same origin policy".

    I believe that I read this trick on Ajaxian some time this year.

    Peter
    Peter Michaux, Sep 26, 2007
    #3
  4. VUNETdotUS

    David Mark Guest

    On Sep 26, 11:37 am, VUNETdotUS <> wrote:
    > My research I did a while ago showed there was no possibility to get
    > web page content from a third-party website with AJAX only, without
    > using a server side technology. Now I have to re-investigate

    this case

    That's not true.

    > and look for a workaround, perhaps, to allow client side to get the
    > content of the external page, living on another server. In case you
    > are wondering, there is no content stealing: both parties agree to
    > exchange data.
    > Please, advise if you know of any examples, links or suggestion as to
    > how a client can request external page content.


    The same way it requests any other content. It only fails if a user's
    browser settings restrict cross-domain requests. Since this may rule
    it out for your particular application, you can use dynamically
    created script elements as described in a previous post.
    David Mark, Sep 26, 2007
    #4
  5. Peter Michaux wrote:
    > If your site is foo.com and the other is bar.net then you can play a
    > trick...
    >
    > Set up the domain name servers so that bar.foo.com points to bar.net
    >
    > Then in your JavaScript write
    >
    > document.domain = 'foo.com';
    >
    > Now you can make Ajax requests to both foo.com and bar.foo.com. It's
    > just like you can make requests to foo.com and bar.net.
    >
    > This works around the XMLHttpRequest "same origin policy".


    It doesn't. This works for DOM Level 0 objects only.


    PointedEars
    --
    "Use any version of Microsoft Frontpage to create your site. (This won't
    prevent people from viewing your source, but no one will want to steal it.)"
    -- from <http://www.vortex-webdesign.com/help/hidesource.htm>
    Thomas 'PointedEars' Lahn, Sep 26, 2007
    #5
  6. On Sep 26, 3:22 pm, Thomas 'PointedEars' Lahn <>
    wrote:
    > Peter Michaux wrote:
    > > If your site is foo.com and the other is bar.net then you can play a
    > > trick...

    >
    > > Set up the domain name servers so that bar.foo.com points to bar.net

    >
    > > Then in your JavaScript write

    >
    > > document.domain = 'foo.com';

    >
    > > Now you can make Ajax requests to both foo.com and bar.foo.com. It's
    > > just like you can make requests to foo.com and bar.net.

    >
    > > This works around the XMLHttpRequest "same origin policy".

    >
    > It doesn't. This works for DOM Level 0 objects only.


    What do you mean?

    Peter
    Peter Michaux, Sep 26, 2007
    #6
  7. Peter Michaux wrote:
    > [...] Thomas 'PointedEars' Lahn [...] wrote:
    >> Peter Michaux wrote:
    >>> If your site is foo.com and the other is bar.net then you can play a
    >>> trick...
    >>> Set up the domain name servers so that bar.foo.com points to bar.net
    >>> Then in your JavaScript write
    >>> document.domain = 'foo.com';
    >>> Now you can make Ajax requests to both foo.com and bar.foo.com. It's
    >>> just like you can make requests to foo.com and bar.net.
    >>> This works around the XMLHttpRequest "same origin policy".

    >> It doesn't. This works for DOM Level 0 objects only.

    >
    > What do you mean?


    The Same Origin Policy was introduced with DOM Level 0 objects where
    properties could be tainted; some properties were tainted and others were
    not. The tainting was dropped later but the policy and affected properties
    remained. Setting `document.domain' therefore was and is a way to work
    around the SOP for those objects if there is the same second-level domain
    (as you described).

    http://docs.sun.com/source/816-6409-10/sec.htm#1021266

    However, that does not work for XHR (as that is not part of DOM Level 0),
    and that, at least partly, is good so.

    http://web.archive.org/web/20050404...=javascript:xmlhttprequest:behaviour#security
    http://www.mozilla.org/projects/security/components/jssec.html

    This can be tested easily. Execute the following in the context of
    <http://www.google.com/>:

    try
    {
    document.domain = "google.com";

    var x = new XMLHttpRequest();
    x.open("GET", "http://groups.google.com/", false);
    x.send(null);
    window.alert(x.responseText);
    }
    catch (e)
    {
    // "Permission denied to call method XMLHttpRequest.open"
    // even though document.domain was set
    window.alert(e);
    }

    Tested with Firebug 1.05 on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

    It might be that some UAs work differently (although IE 6+7 and Opera 9.23
    behaved much the same in my tests), however that would be a security issue
    that would be fixed soon.


    PointedEars
    --
    "Use any version of Microsoft Frontpage to create your site. (This won't
    prevent people from viewing your source, but no one will want to steal it.)"
    -- from <http://www.vortex-webdesign.com/help/hidesource.htm>
    Thomas 'PointedEars' Lahn, Sep 27, 2007
    #7
  8. On Sep 26, 4:46 pm, Thomas 'PointedEars' Lahn <>
    wrote:
    > Peter Michaux wrote:
    > > [...] Thomas 'PointedEars' Lahn [...] wrote:
    > >> Peter Michaux wrote:
    > >>> If your site is foo.com and the other is bar.net then you can play a
    > >>> trick...
    > >>> Set up the domain name servers so that bar.foo.com points to bar.net
    > >>> Then in your JavaScript write
    > >>> document.domain = 'foo.com';
    > >>> Now you can make Ajax requests to both foo.com and bar.foo.com. It's
    > >>> just like you can make requests to foo.com and bar.net.
    > >>> This works around the XMLHttpRequest "same origin policy".
    > >> It doesn't. This works for DOM Level 0 objects only.

    >
    > > What do you mean?

    >
    > The Same Origin Policy was introduced with DOM Level 0 objects where
    > properties could be tainted; some properties were tainted and others were
    > not. The tainting was dropped later but the policy and affected properties
    > remained. Setting `document.domain' therefore was and is a way to work
    > around the SOP for those objects if there is the same second-level domain
    > (as you described).
    >
    > http://docs.sun.com/source/816-6409-10/sec.htm#1021266
    >
    > However, that does not work for XHR (as that is not part of DOM Level 0),
    > and that, at least partly, is good so.
    >
    > http://web.archive.org/web/20050404...a.org/projects/security/components/jssec.html
    >
    > This can be tested easily. Execute the following in the context of
    > <http://www.google.com/>:
    >
    > try
    > {
    > document.domain = "google.com";
    >
    > var x = new XMLHttpRequest();
    > x.open("GET", "http://groups.google.com/", false);
    > x.send(null);
    > window.alert(x.responseText);
    > }
    > catch (e)
    > {
    > // "Permission denied to call method XMLHttpRequest.open"
    > // even though document.domain was set
    > window.alert(e);
    > }
    >
    > Tested with Firebug 1.05 on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    > rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
    >
    > It might be that some UAs work differently (although IE 6+7 and Opera 9.23
    > behaved much the same in my tests), however that would be a security issue
    > that would be fixed soon.


    Well, it looks like my memory has betrayed me on this one. I only
    played with the document.domain property once over a year ago. I
    looked around on Ajaxian and couldn't find the article I remember
    reading about playing a trick with the domain name servers. There is
    some trick of some kind out there somewhere.

    Thanks,
    Peter
    Peter Michaux, Sep 27, 2007
    #8
  9. On Sep 26, 5:52 pm, Peter Michaux <> wrote:
    > On Sep 26, 4:46 pm, Thomas 'PointedEars' Lahn <>
    > wrote:
    >
    >
    >
    > > Peter Michaux wrote:
    > > > [...] Thomas 'PointedEars' Lahn [...] wrote:
    > > >> Peter Michaux wrote:
    > > >>> If your site is foo.com and the other is bar.net then you can play a
    > > >>> trick...
    > > >>> Set up the domain name servers so that bar.foo.com points to bar.net
    > > >>> Then in your JavaScript write
    > > >>> document.domain = 'foo.com';
    > > >>> Now you can make Ajax requests to both foo.com and bar.foo.com. It's
    > > >>> just like you can make requests to foo.com and bar.net.
    > > >>> This works around the XMLHttpRequest "same origin policy".
    > > >> It doesn't. This works for DOM Level 0 objects only.

    >
    > > > What do you mean?

    >
    > > The Same Origin Policy was introduced with DOM Level 0 objects where
    > > properties could be tainted; some properties were tainted and others were
    > > not. The tainting was dropped later but the policy and affected properties
    > > remained. Setting `document.domain' therefore was and is a way to work
    > > around the SOP for those objects if there is the same second-level domain
    > > (as you described).

    >
    > >http://docs.sun.com/source/816-6409-10/sec.htm#1021266

    >
    > > However, that does not work for XHR (as that is not part of DOM Level 0),
    > > and that, at least partly, is good so.

    >
    > >http://web.archive.org/web/20050404123540/http://jpspan.sourceforge.n...

    >
    > > This can be tested easily. Execute the following in the context of
    > > <http://www.google.com/>:

    >
    > > try
    > > {
    > > document.domain = "google.com";

    >
    > > var x = new XMLHttpRequest();
    > > x.open("GET", "http://groups.google.com/", false);
    > > x.send(null);
    > > window.alert(x.responseText);
    > > }
    > > catch (e)
    > > {
    > > // "Permission denied to call method XMLHttpRequest.open"
    > > // even though document.domain was set
    > > window.alert(e);
    > > }

    >
    > > Tested with Firebug 1.05 on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    > > rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

    >
    > > It might be that some UAs work differently (although IE 6+7 and Opera 9.23
    > > behaved much the same in my tests), however that would be a security issue
    > > that would be fixed soon.

    >
    > Well, it looks like my memory has betrayed me on this one. I only
    > played with the document.domain property once over a year ago. I
    > looked around on Ajaxian and couldn't find the article I remember
    > reading about playing a trick with the domain name servers. There is
    > some trick of some kind out there somewhere.


    Perhaps something like this...

    <URL: http://www.xml.com/pub/a/2005/11/09/fixing-ajax-xmlhttprequest-considered-harmful.html?page=2>

    In relation to my previous example, this shows using apache to proxy

    http://foo.com/bar/ to http://bar.net/

    Peter
    Peter Michaux, Sep 27, 2007
    #9
  10. VUNETdotUS

    VUNETdotUS Guest

    Is IFRAME trick possible if I load IFRAME with src='anotherdomain.com'
    and access with document.getElementById("myiframe").contentWindow?
    It does get a reference to IFRAME object but I cannot find a way to
    get its innerText or innerHTML property.
    Thanks.
    VUNETdotUS, Sep 27, 2007
    #10
  11. VUNETdotUS

    Erwin Moller Guest

    VUNETdotUS wrote:
    > My research I did a while ago showed there was no possibility to get
    > web page content from a third-party website with AJAX only, without
    > using a server side technology. Now I have to re-investigate this case
    > and look for a workaround, perhaps, to allow client side to get the
    > content of the external page, living on another server. In case you
    > are wondering, there is no content stealing: both parties agree to
    > exchange data.
    > Please, advise if you know of any examples, links or suggestion as to
    > how a client can request external page content.
    > Thanks.
    >


    Hi,

    As you have seen in the other responses, it will be tricky: changing
    policy in browser, or using an iframe.
    Which brings me to: WHY do you avoid serverside scripting?
    Getting a random page via AJAX is simple WITH serverside scripting.

    In PHP it would be simple as:

    <?php
    $requestedPage = $_POST["requestedpage"];
    echo file_get_contents($requestedPage);
    ?>

    What is wrong with a little serverside help?

    Regards,
    Erwin Moller
    Erwin Moller, Sep 27, 2007
    #11
  12. VUNETdotUS

    VUNETdotUS Guest

    On Sep 27, 10:57 am, Erwin Moller
    <> wrote:
    > VUNETdotUS wrote:
    > > My research I did a while ago showed there was no possibility to get
    > > web page content from a third-party website with AJAX only, without
    > > using a server side technology. Now I have to re-investigate this case
    > > and look for a workaround, perhaps, to allow client side to get the
    > > content of the external page, living on another server. In case you
    > > are wondering, there is no content stealing: both parties agree to
    > > exchange data.
    > > Please, advise if you know of any examples, links or suggestion as to
    > > how a client can request external page content.
    > > Thanks.

    >
    > Hi,
    >
    > As you have seen in the other responses, it will be tricky: changing
    > policy in browser, or using an iframe.
    > Which brings me to: WHY do you avoid serverside scripting?
    > Getting a random page via AJAX is simple WITH serverside scripting.
    >
    > In PHP it would be simple as:
    >
    > <?php
    > $requestedPage = $_POST["requestedpage"];
    > echo file_get_contents($requestedPage);
    > ?>
    >
    > What is wrong with a little serverside help?
    >
    > Regards,
    > Erwin Moller


    It is a very high traffic problem.
    VUNETdotUS, Sep 27, 2007
    #12
  13. On Sep 27, 7:27 am, VUNETdotUS <> wrote:
    > Is IFRAME trick possible if I load IFRAME with src='anotherdomain.com'
    > and access with document.getElementById("myiframe").contentWindow?
    > It does get a reference to IFRAME object but I cannot find a way to
    > get its innerText or innerHTML property.


    If the second-level domains do not match then you cannot get around
    the same origin policy. A page from foo.com cannot inspect the
    contents of an iframe from bar.net.

    Peter
    Peter Michaux, Sep 27, 2007
    #13
  14. VUNETdotUS

    Aaron Saray Guest

    On Sep 27, 10:56 am, Peter Michaux <> wrote:
    > On Sep 27, 7:27 am, VUNETdotUS <> wrote:
    >
    > > Is IFRAME trick possible if I load IFRAME with src='anotherdomain.com'
    > > and access with document.getElementById("myiframe").contentWindow?
    > > It does get a reference to IFRAME object but I cannot find a way to
    > > get its innerText or innerHTML property.

    >
    > If the second-level domains do not match then you cannot get around
    > the same origin policy. A page from foo.com cannot inspect the
    > contents of an iframe from bar.net.
    >
    > Peter


    You can do some fun DNS/subdomain tricks - but it requires
    communication with the mashup service providers.

    *shameless self promotion* check this link:
    http://www.102degrees.com/blog/2007/09/19/cross-domain-ajax-a-quick-anatomy-of-a-mashup/
    I pointed to two of the technical articles, and then filled in the
    blanks on the things I thought they were missing.
    Aaron Saray, Sep 28, 2007
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Buchan
    Replies:
    1
    Views:
    456
    Eric Lawrence [MSFT]
    Feb 20, 2004
  2. Stefan Caliandro
    Replies:
    2
    Views:
    602
    Beauregard T. Shagnasty
    Feb 14, 2005
  3. Jasbird

    Sites about web-sites ?

    Jasbird, Sep 12, 2006, in forum: HTML
    Replies:
    1
    Views:
    383
  4. imx
    Replies:
    10
    Views:
    784
  5. Charles Oliver Nutter

    JRuby bug mash...with PRIZES!

    Charles Oliver Nutter, Jan 6, 2010, in forum: Ruby
    Replies:
    0
    Views:
    90
    Charles Oliver Nutter
    Jan 6, 2010
Loading...

Share This Page