外部js文件中的相同原始策略

Question

if in the website http://www.mysite.com there's an external js file added as

<script src="http://www.yoursite.com/new.js"></script> 

within the http://www.yoursite.com/new.js js file, there's an ajax call to a script in http://www.yoursite.com/new.js

in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?

Answer 1

There will be a problem. new.js run in the scope of mysite.com , not yoursite.com .

EDIT: a more detailed explanation would be: when mysite.com is openning a tag, that script runs in the scope of the current page. The source of the script does not matter: it can be inline, local source, or remote source, it is still considered part of mysite.

As you know, scripts in mysite.com cannot access anything on yoursite.com due to the same origin policy. So you cannot do this.

As an advanced option for cross-origin communication look at jsonp . It will require yoursite.com to provide a special handling, but if you have control on both sites then this should not be a problem.

Answer 2

JSONP is precisely what you're looking for: http://en.wikipedia.org/wiki/JSON

The 5,000m overview is that JSONP uses the same mechanism for requesting external scripts as you're using above. The difference is that your server will recognise this and will package up the JSON response as the argument to a callback method. When your site receives this 'script', it executes it thereby returning the data directly into your callback method.

If you are able to use a framework like jQuery, most of the client side would be transparently handled for you. Check it out here: http://api.jquery.com/jQuery.getJSON/