By juliana | April 19, 2008
Here’s was my problem yesterday, in a cool scripted form:
Mission> Your mission, should you choose to accept, is to allow third party sites to grab from this system you are developing and display our content. These undisclosed third party sites may be in ASP .Net, ASP, PHP, or even… [ominous pause] static HTML. You have no choice but to accept this mission. You may begin self-destructing in 5, 4, 3…
JS/XHR> Permission denied to call method xmlhttprequest.open. Bwhahahaha!
JS/XHR>Permission denied to call method xmlhttprequest.open! Permission denied to call method xmlhttprequest.open! PERMISSION DENIED TO CALL METHOD XMLHTTPREQUEST.OPEN! NEENER NEENER!!
Me> ARGH! ::DIES::
Apparently, XMLHttpRequest does not allow cross-domain scripting for security reasons. I didn’t realize this because I’d always use the object for local connections, but I get it. Cross-domain scripting can lead to some pretty malicious results in the hands of an evil developer. But that doesn’t solve my problem.
The trick, however, was trying to figure out that call-and-interface. Somehow, the client had
- to make a call to the server,
- to allow the server to carry out its functions and return a result,
- to accept that result
- and to display that result on the client.>
Googling gave me a bunch of alternative ways to “hack around” the no cross-domain limitation of XMLHttpRequest (keywords: xmlhttprequest cross-domain)
Some of the solutions I ran across dealt with iframe, setting domain.location, using a proxy, using a in-between page, using a web service–none of which I was happy about, and a lot of them had to do with configuring something on the client-side, which is not a given.
But that web service idea pointed me toward my solution. I can’t find the link now, but I remember seeing something like
- Add to Page.Load
- Remove all evidence of a HTML result by deleting the <HTML>, <HEAD>, <TITLE>, even the <FORM> and <DIV> tags. (All that should be left is the @Page directive tag
And that was it. I tried with a very simple
I guess the ending of the script would be
ASP .NET> Nyahnyahnyaaaaah!!!