1 (edited by leon 2007-09-10 11:01:49 AM)

Topic: replace xmlHttpRequest with iframe

my xajax's version is 0.2.

I am focusing on 'on-line build system' whoes host name is 'compiler.local'.
somebody else is in charge of 'bug tracing system' as 'mantis'.
I want to offer some js api to them. They can use it as following:

sample code:
[code js]...
<script type="text/javascript" src="http://compiler.local/api.js"></script>
// get project id from user interface panel.
var projectId=getProjectId();

// appendBuildTask is a js api from http://compiler.local/api.js

So, when a programmer fixed a bug, he can tell the mantis 'i have fixed it'.
MANTIS will append a build task to 'on-line build system'.
When build succ, a note email will send to the tester who submit the bug.

in http://compiler.local/api.js, should like this:

[code js]
function include_js(path,reload){
    var scripts = document.getElementsByTagName("script");
    if (!reload)
    for (var i=0;i<scripts.length;i++)
        if (scripts[i].src && scripts[i].src.toLowerCase() == path.toLowerCase() ) return;
    var sobj = document.createElement('script');
    sobj.type = "text/javascript";
    sobj.src = path;
    //compatible for both IE & FireFox
    var headobj = document.getElementsByTagName('head')[0];

//load xajax.js

//global value
var xajax;
function _xajax_init(){
        xajax = new Xajax();
        //wait for browser parsing xajax.js


function appendBuildTask(){
        //appendBuildTask is php function in server.php
        return xajax.call("appendBuildTask", arguments, 1);
        debug('xajax not defined');
        return false;
!! Problem:
When i use the sample code in another domain, it can't work.
IE will ask the user to confirm whether go on.
FireFox throw an exception when xmlHttpRequest.open.

!! Request
anybody can rewrite xajax to support this?
maybe should replace xmlHttpRequest with iframe, or both of them are offered.
A flag can control which one selected.

@ @
   |                     |
  / \                   / \

Re: replace xmlHttpRequest with iframe


The problem you are experiencing is due to a security restriction on the browser; you cannot open a XHR request (or iframe / frame) to another domain in javascript (refer to XSS or Cross-site scripting for more details).

The only way to access information on another domain is to have your server script fopen or otherwise access the other site and return the information to the user afterwords.

// Joe

xajax Developer
Connect to me on LinkedIn:

Re: replace xmlHttpRequest with iframe

what about following:

function test(){
        var o=document.getElementById('hif');
<input type='button' value='test' onclick='test();'>
<iframe style='visibility:hidden;width:0px;height:0px;' id='hif' src='[]=1&args[]=2'></iframe>

function test($a,$b){
    echo "<script>alert('server report: ".$a.",".$b."');</script>";

function test2($a,$b){
    echo "<script>alert('server report2: ".$a.",".$b."');</script>";


it works well.

when load, alert :

server report: 1,2

when click test, alert

server report2: 3,4

@ @
   |                     |
  / \                   / \

Re: replace xmlHttpRequest with iframe


Thank you for the code example.  I know it is possible to direct an iframe to a host (and even a host on another domain)... but understand, the result from a host on another domain will not be readable by the main page (in other words, the iframe document will not be readable by the main page) because it's content was loaded from a different domain.

We could easily build a plugin that would make this sort of signalling easy to perform:

1)  Main page loads
2)  User clicks a button
3)  We send a message to a server on another domain with some information about our user (via the get parameters)
4)  The server sends back "ok" or "error" (but we can't read this since it is another domain)

Now, perhaps the other server could be configured to report it's success or failure condition to our server on our domain... the result could be stored with some user information so it could be retrieved by a xajax call.

1)  browser -> other server (via iframe)
2)  other server -> our server
3)  browser -> our server -> browser (via xajax call)

I would certainly be interested and willing to setup a test page on a couple domains to play with this idea... but I doubt that it would be used enough to consider it as part of the xajax system (integrated into xajax).  Perhaps this would make a nice plugin though.

// Joe

xajax Developer
Connect to me on LinkedIn:

Re: replace xmlHttpRequest with iframe

hi, CtC

I think 'readable' is not a key issue.

Laster year, I was in charge of a CVS Admin system with another colleague. He never use Php and Xajax, but good at javascript. So we define the APIs.

All the xajax_*** are mine, in php at server end.
As xajax_loadCVSRoots, what I need do is list the cvs roots, join them as a string 'CVSRootString', addScript to xajaxResponse. I don't know how client deal with this CVSRootString.

All the on*** are his, in javascript at client end. He call the xajax_*** at the right time. Before it, he should prepare on*** to wait for xajax_***. He doesn't know what happend on server, but he knows what will happen on client. I think this is the "asynchronism".

Then the most important is argument's number, format, and meaning.
If arguments are pre-defined, they are 'readable'!

sample APIs

// call by client js. 

// call by php function loadCVSRoots on server, using addScript
// CVSRootString 's format is: cvsroot1:cvsroot2
// this function is different between different web pages.
// some show the cvs roots from top to down, others from left to right. 
// server do not concern about it. server just give the data, give the service.

I doubt that it's necessary xajax offer so many apis to control the user interface.
Or I like addScript too much. smile

If xajax can give service cross domain, I believe more people will love it.

@ @
   |                     |
  / \                   / \

Re: replace xmlHttpRequest with iframe


XSS (or cross site scripting) is a security issue addressed by the browser; xajax, being a javascript application on the browser, is restricted to the javascript sandbox.  We will not work to provide a mechanism to break or otherwise thwart the security mechanisms put in place by the browser author(s).

However, it is easy enough for you to use curl or fopen or some other http_get request from your server to the other server and have your server read the request (this is not a security hole); so you don't need (nor want) xajax to provide that service.  Simply have your script execute the http_get request by first using xajax to call the your server... your server call his server... his server perform the operation and return a result to your server... then your server returns a xajax response to the browser.

I hope you understand... I would love to make xajax a better tool, but not when it will open major security risks for people surfing the web... especially when a server side technology exists which can handle it. smile

I also hope that my above comments will help you to get the desired functionality! big_smile

If you have questions about the server side implementation, please let me know and I'll be glad to help out.

// Joe

[edit]  Oh, regarding the use of ->addScript (or ->script in newer versions)... you might also want to look at ->addScriptCall (or ->call in newer versions) as it provides more flexibility in passing parameters (like arrays).

xajax Developer
Connect to me on LinkedIn:

Re: replace xmlHttpRequest with iframe


Thx very much!

Server 'Apple' is a reliable & middle client to server 'Boy'.

@ @
   |                     |
  / \                   / \