Cross-Site Scripting – Legitimate Means for Cross-Site Scripting

browserjavascriptSecurity

Are there good means for allowing scripts from two or more domains to collaborate in the same browser page? I want to create an extensible platform, where I provide the model and some views, but also allowing third parties to create their own views as well. The idea is that all model manipulation will be done through its API, and only the model will communicate to the (main) server, but users will be allowed to include scripts from other domains that also use that API (those scripts might "call home" if they want to though).

I know many sites already do that, for instance when they use a CDN to provide libraries like jQuery. However, I also recall reading that those libraries had to be "tweaked" somehow so they won't be mistaken by XSS attacks, though I couldn't find more info on the subject. I have only superficial knowledge of how browsers isolate contents for different domains, and to what extent that isolation occurs, so some pointers in that direction would be very welcome.

I'm also aware of the method of using iframes to load "less-than-trusted" contents, and it seems that communication between the main page and its iframes is quite straightforward. I'd rather not use that method, but will do if there are good security benefits of doing so. However, I'm unsure if that's the case, since the iframe can call arbitrary methods on the parent page… (Edit: from what I understood of Florian Margaine's comment, the method in the linked question only works for same-origin iframes, is that correct? In that case, I can see the security benefits now) Can anyone with experience on the subject tell me how it works?

These are the only options I know of, other suggestions are welcome too. I'd also like to note that, while there must be some level of trust between the user and the third party providing the script (since its very purpose is manipulating the model owned by that user), each user will be free to choose extensions at his leisure (i.e. the available scripts won't be restricted to ones I previously evaluated and endorsed), so any means to mitigate security problems to the users are also welcome.

Edit: Let me clarify the question a bit. The goal here is not to make HTTP requests to other domains, merely to have a better control of what the different scripts do to the same page. From what I understood so far of the same origin policy, different pages can not communicate to each other unless they come from the same domain, but scripts in the same page but coming from different domains can do whatever they want. Is that correct? (if it is, then I guess my question is moot…)

Best Answer

You can use JSONP. Its not so hard to write a little function yourself, here is a little example from one of my sites;

function ecbCreateScript(url, callback) {
    var head = document.getElementsByTagName('head')[0];
    var script = document.createElement('script');
    script.type = 'text/javascript';
    script.src = url;

    script.onreadystatechange = loadEcbForm;
    script.onload = loadEcbForm;

    // fire the loading
    head.appendChild(script);
}
Related Topic