Cross site scripting…

There’s a bit of a discussion going on at the moment about cross-domain scripting, which is a method of getting information from someone elses website and using it on your own. The advantages to the AJAX way of doing things are that these processes can happen in the background without the user knowing. Perhaps happen a hundred times a second without the user knowing.

You see why there might be a bit of a problem here. There is huge potential for people to do damage to others’ websites with a few lines of JavaScript. So, there is a restriction in XMLHTTPRequest to only allow calls to a page on the same domain as you are currently viewing. That means that if you have a page on abc.com, you won’t be allowed to AJAX some information from xyz.com.

The downside of this is that if you have legitimate reasons for grabbing data from another domain using AJAX, you can’t. Or rather, you can, but you need to do some tweaking. I’ve used one method, discussed here which is to use a server-side script (e.g. PHP or ASP) on your own domain to receive AJAX requests, do the remote call, the post the results back. Easy.

And, seeing as the age of Web Services is upon us, expect to see a lot more of this kind of cross-site scriptery going on.