CORS in embedded javascript -


i'm intending add security our javascript code gets embedded on other sites - eg: analytics code.

the user copies 4-5 lines of code , puts on site. code downloads real script next step.

i have been recommended use cors instead of current jsonp calls can restrict domains.

as understand, cors work if html page add scripts needs add access domains , if add access domains the js file, wouldn't work.

is cors final js or html page intending use script?

edit:

since it's confusing users, have made more simple.

html in domain adds script domain b google analytics. can add access-domains: while rendering js or should html add access-domains in response?

there explanation wiki question:

cors can used modern alternative jsonp pattern. while jsonp supports get request method, cors supports other types of http requests. using cors enables web programmer use regular xmlhttprequest, supports better error handling jsonp. on other hand, jsonp works on legacy browsers predate cors support. cors supported modern web browsers. also, while jsonp can cause cross-site scripting (xss) issues external site compromised, cors allows websites manually parse responses ensure security.

as understand, cors work if html page add scripts needs add access domains

you can access domains via: 

access-control-allow-origin: *

also cors has good support.

p.s. ie8-9 has own imlementation xdomainrequest.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more