Mindsack : User Experience Engineering : Dynodes: Cross-Domain Scripting using Dynamic Node Creation

Try it out: get a random number from a script hosted on a foreign domain.

(Note: clicking repeatedly won't give you multiple results; you need to mouse out and mouse back in again. Please read How It Works to find out why.)

Your random number will appear here.

What's This?

In certain edge cases, XMLHTTPRequest is impossible or unpalatable. It could be cross-domain security issues. It could also be that you've got a friendly script on the other end that supplies a JSON object with a callback, so you don't need to take the extra step of proxying it through a server on your domain.

Dynodes use CSS, unobtrusive Javascript, and the Document Object Model to create, import, run, and destroy foreign script nodes on demand, without the usual security restrictions faced by AJAX.

Questions? Comments?

Please leave 'em in the Mindsack. Thanks!

How Dynodes Work

On load, we capture the onmousedown, onmouseover, and onmouseout events.
When the user hovers over an element with class name loadScript, we insert the script node and change the class name to runScript.
When the user clicks any element with class name runScript, we run the function in the remote script that returns the data we want. Then we delete the script node and change the element's class name back to loadScript.
When the user exits any element with class name runScript without clicking it, we delete the script node without calling the remote function. Then we change the element's class name back to loadScript, to await the next request.

Things To Do And Notice

Click the link repeatedly without mousing out. Nothing happens, since the script has not reloaded. This could be a feature or a bug, depending on your point of view. :)
Bring up your DOM inspector under Firefox, open up the HEAD and the first P, and wave your mouse over the link. You should see the script node popping in and out under HEAD, and the class shifting from loadScript to runScript.
Repeat with your Task Manager set to Processes, and watch memory usage. As far as I can tell it's not excessive.

Browser Compatibility

Tested on Firefox 1.0.6, IE5.0.1, IE5.5, IE6, Netscape 7.2, and Opera 7.54 on my PC, plus Safari 1.3 and 2.0+ on OSX.
Does not work on Safari 1.0.3, due to issues with dynamically creating SCRIPT nodes.
Not sure where on the Safari version continuum it starts working. Anybody out there got 1.1 or 1.2?
No support for Netscape 4 or other browsers that don't see the DOM, sorry!

Directions for Future Development

By leaving the events attached to their current class names but loading and running scripts based on IDs, we could easily do multiple scripts.
Yes, we need (badly) some sort of "loading" indicator, in case the remote script is on a slow server.

Words Of Warning

I'm lucky enough to work with some of the leading voices in the field. One such alert reader is Douglas Crockford, who writes:

XMLHttpRequest suffers from a defective security mechanism that constrains it to connecting only with the server that delivered the base page. This renders XMLHttpRequest virtually useless for a large, exciting class of applications. Clearly an alternative is needed. The dynamic <script> tag hack suffers from the opposite problem. It allows a page to access data from any server in the web, which is really useful. Unfortunately, the data is returned in the form of a script. That script can deliver the data, but it runs with the same authority as scripts on the base page, so it is able steal cookies or misuse the authorization of the user with the server. A rogue script can do destructive things to the relationship between the user and the base server. It is safe in the particular example that Kent shows, but it is extremely dangerous in other patterns. Be extremely cautious in your own use, and even more cautious in teaching it outside. The unrestricted script tag hack is the last big security hole in browsers. It cannot be easily fixed because the whole advertising infrastructure depends on the hole. Be very cautious.

Thanks, Douglas. I thought twice about releasing dynodes into the wild; on balance, however, I believe that the technique is important enough--and working examples are few enough--that the benefits outweigh the risks.

That being said, I'm going to apply a really basic casual-bozo filter and not supply the source code for this example. If you know what you're doing with the Web, you know where to find it.

Acknowledgements

Jeremy Gillick, for midnight tech support and good advice.
Jimmy Byrum, for getting me to push the outside of the envelope.
Toby Elliot, for patient answers to bonehead questions.
Douglas Crockford, for feedback, and for discovering and documenting JSON.
Hedger Wang, for testing on IE5.0.1 and IE5.5
Mike Lee, Gina Groom, Barney Mok, Scott Schiller, Dave Balmer, and Nate Koechley, for the usual reasons.