More power to JSONP with Subspaces
At the last World Wide Web conference, Collin Jackson and Helen Wang presented an interesting paper where they explain how to sandbox the dynamic evaluation of JSON inside an inlined frame. Second interesting aspect of the document is that they group together the description of many enabling cross-domain techniques, thus creating a valuable well-written reference.The reason you might want to sandbox the evaluation of javascript is for the related security implications. It does not guarantee 100% security (as usual, see for example this) but at least it helps enforcing control on the external source of data. The sandbox is activated by the kind of visibility that a child iframe has in relation to the main document object model or other iframes. The visibility depends on the domain from where the documents were loaded but more specifically from the value of the property document.domain. If the two iframes or the iframe and the main page comes from the same domain, they can access their respective document object model. Please refer to the paper above for a full explanation.
The mechanism is tricky but working. There is already an implementation called CrossSafe by Kris Zyp that is worth having a look. Why I’m discussing all this? Because I’m thinking to integrate or implement the same idea in dTunes to increase the control over the evaluation of the JSONP output coming from external web service. All I need is a domain with a sub-domain for each external service dTunes will need to access. Tricky but doable.
Reblog Details
Monday, October 1, 2007
