xssinterface - Google Code

xssinterface - Google Code
The xssinterface javascript library enables communication of multiple pages (or pages and iframes) via javascript functions across domain boundaries. This may be useful for websites that want to expose a limited javascript interface to embedded widgets.

xssinterface works in all browsers that support the postMessage() interface and implements a fallback mechanism that works in most current browsers.

How it works?

For Browsers that support it, we use the postMessage() interface.

If the Browser has Google Gears installed, we use Gears cross origin workers.

For all other browsers, we use the following mechanism:

All sites that participate in the cross domain calls must provide an html file (cookie_setter.html) that is provided by this library that enables other domains to place certain cookie under the domain of the site.

The library uses this mechanism to place cookies on the target domain that are then read and evaluated by the target page.

Pages must explicitly grant access to their domain by setting a security token cookie under a domain that is allowed to access the callbacks.

function sayHello() {
  var caller = new XSSInterface.Caller("www.two.com","/cookie_setter.html","channel1");
  caller.call("hello", "Hello World")
}

window.onload = function () {
  window.xssListener = new XSSInterface.Listener("1234567890","channel1");
  window.xssListener.allowDomain("www.one.com", "/cookie_setter.html");
  window.xssListener.registerCallback("hello", function (msg) {alert(msg)} )
  window.xssListener.startEventLoop()
}