The problemThe technology needed to write web applications is named AJAX, but for security reasons, AJAX has one important limitation! You can not make requests to another domain. Imagine what would happen if a malicious website would request your gmail inbox while you are logged in!
AlternativesBecause of this limitation, people started to look for other ways to make cross-domain request. Bring in JSONP! JSONP allows you to request data from another domain by inserting a script tag with a src attribute referring to the data location. This is used in the Twitter widget showed in my sidebar. JSONP has two limitations.
- You give the other domain scripting access to your site, opening a potential XSS vulnerability.
- You can only make a GET request.
iframesHidden iframes are another method to make asynchronous requests, but they to are limited to GET requests and are only accessible from the same domain. I have not yet found a solution for the access problem, but I can make POST requests.
- Make an iframe and set its display property to hidden.
- Load a page in the frame containing a form.
- Add hidden inputs to the form.
- Submit it!
iframe removedThe only remaining problem is that we can not access the return data, but as you can see, that is not needed in all cases.