JS: RPC and obstructions


Javascript has the possibility to request files from a server without reloading the entire page (actually without reloading at all). It goes by various names, just google for AJAX if you care. To prohibit several obvious security issues you are restricted from downloading files from other domains except for the domain of the currently visited page. This way any data of a visited page can be trusted to be as safe as the domain that page is on. Pretty shallow security if you ask me, consider for example hosting sites like geocities.It's not entirely clear to me what they've tried to accomplish with the restrictions. They give more headaches then security. At best it raises the threshold for newby scriptkiddies to work up such an attack.When searching around you quickly encounter two alternatives for getting data from offsite domains.The first is a DNS solution using sub-domains. I haven't tested it because it requires the source and target of both domains to set up specific DNS records and uses a sub-domain. This requires quite some expertise and disables the retrieval of data from user given sources.The other one goes by the name of JSON ("Javascript Object Notation"). I actually came up with the core of this feat myself, but I didn't persue it any further because E4X is not crossbrowser friendly. Even though ajax is limited to the same domain you are allowed to include scripts from any source. This seems very odd to me since it defies the very reason of the restriction. You can load the scripts dynamically allowing you to download javascript valid data.My goal is to download a textfile from a remote location given by the user. Directly requesting and downloading this file is out of the question so the user will have to manually adjust the file anyways.My next idea was to put the entire file inside a single variable. However, javascript has another limit: no multiline string capabilities like HEREDOC. The easiest searchquery came up with a very nice solution to this problem. It uses a XML type of syntax and adds the contents of the file as a CDATA block. Un-very-fortunately... E4X (the protocol allowing this trick) is not supported by explorer and probably other browsers. So that's not gonna fly.But I was on the right track. The correct track is JSON. The two leaders currently implementing JSON are Google and Yahoo.Unfortunately JSON is very dependent on serverside scripts and/or very specific syntax. That means you have to either adjust the file line by line manually or that your server will still serve as a proxy. That's kind of what we're trying to avoid.Thus ends my search and do I give up, for now. Maybe we'll be able to easily request offsite data once developers realize the futility of current security restrictions since there are many ways to bypass it.