Calling non-origin server

[Brian Adkins]

I need to have a script communicate with a server other than the one
it was loaded from. I've come up with the function below (slightly
modified for posting), but I thought I'd ask for constructive
criticism.

function transmitToServer(method, parameters) {
var s = document.createElement('script');
s.type = 'text/javascript';
s.charset = 'utf-8';
s.src = getServerURL() + method;
var sep = '?';
parameters.nocache = (new Date()).getTime();
for (var prop in parameters) {
if (parameters[prop] != null) {
s.src += sep + prop + '=' + escape(parameters[prop]);
if (sep === '?') { sep = '&'; }
}
}
document.body.appendChild(s);
}

An example invocation is:

transmitToServer('my_action', { name: 'Brian', phone:
'800-555-1212' });

Brian Adkins

 

[Peter Michaux]

I need to have a script communicate with a server other than the one
it was loaded from.

If you don't control that other server, you are entering the world of
"mash-ups". Be warned it is dangerous to allow anyone access to your
page. For example they can send the user's cookies to themselves and
then enter your system. I believe this is called a "cross-site
scripting attack".

Douglas Crockford talks about this stuff a lot.

I've come up with the function below (slightly
modified for posting), but I thought I'd ask for constructive
criticism.

function transmitToServer(method, parameters) {
var s = document.createElement('script');
s.type = 'text/javascript';
s.charset = 'utf-8';
s.src = getServerURL() + method;
var sep = '?';
parameters.nocache = (new Date()).getTime();
for (var prop in parameters) {
if (parameters[prop] != null) {
s.src += sep + prop + '=' + escape(parameters[prop]);
if (sep === '?') { sep = '&'; }
}
}
document.body.appendChild(s);

}

An example invocation is:

transmitToServer('my_action', { name: 'Brian', phone:
'800-555-1212' });

For technical details read all of Randy Webb's threads in the archives
on dynamic script insertion.

Peter

 

[Brian Adkins]

If you don't control that other server, you are entering the world of
"mash-ups".

I do control the remote server. I don't control the server-of-origin
for the script, but a customer does.

For technical details read all of Randy Webb's threads in the archives
on dynamic script insertion.

I have been reading through various threads. I think Randy has
recommended creating a special <div> element to place the dynamically
created script elements, where I just use:

document.body.appendChild(s);

I don't control the HTML the script runs in, so I'm trying to keep
things as simple as possible. I'll keep reading the threads, but I
thought I'd throw it out there in case anyone notices a red flag.

 

[mic123]

I do control the remote server. I don't control the server-of-origin
for the script, but a customer does.


I have been reading through various threads. I think Randy has
recommended creating a special <div> element to place the dynamically
created script elements, where I just use:

document.body.appendChild(s);

I don't control the HTML the script runs in, so I'm trying to keep
things as simple as possible. I'll keep reading the threads, but I
thought I'd throw it out there in case anyone notices a red flag.

try calling a script using ajax

 

[Peter Michaux]

I do control the remote server. I don't control the server-of-origin
for the script, but a customer does.

If your customer trusts you then all is well.

I have been reading through various threads. I think Randy has
recommended creating a special <div> element to place the dynamically
created script elements, where I just use:

document.body.appendChild(s);

I don't control the HTML the script runs in, so I'm trying to keep
things as simple as possible. I'll keep reading the threads, but I
thought I'd throw it out there in case anyone notices a red flag.

I wouldn't worry about appending to the body. Once the script is run
by inserting it, it doesn't really matter if it is attached to the
page or not. You could remove the script element after it executes the
script. You may have seen that suggestion in the archives somewhere.
You could append to the document head also.

Peter

 

[Peter Michaux]

try calling a script using ajax

If the domains of the two servers are different then a direct XHR is
not possible due to the same-origin policy.

Peter