CDS restriction implemented in standard web browsers to prevent the execution of scripts reside in a different domain from the current domain hosting the web applications. CDS restriction's primary purpose is against malicious scripts from being executed at a unknown untrusted domain. If you are familiar with Java Applet, here is a similar analogy: in an applet application, you are literally prohibited from making connections to the outside world differing from your own domain.
In this blog, I will try to explain a way to allow remote scripting with BlogSpot and certainly you can use it with other web application as well.
First attempt: Load the scripts directly (failure)
so you include the remote scripts with the following statements:
<script type="text/javascript" src="http://remote-domain/test.js"/>
And then when you try to call a method in that test.js script, the browser chokes complaining permission denied.
It doesn't work because we can't fool CDS with this trick!
Second attempt: request the remote scripts then load them programmatically (failure)
This time, I try to get the scripts from my local script then attempt to load them in memory using the built-in eval method of javascript 1.4. here is how it works:
<script>
var req;
function loadJS(url)
{
req = false; // branch for native XMLHttpRequest object
if(window.XMLHttpRequest)
{
try { req = new XMLHttpRequest(); } catch(e) { req = false; }
// branch for IE/Windows ActiveX version }
else if(window.ActiveXObject)
{
try
{
req = new ActiveXObject("Msxml2.XMLHTTP");
}
catch(e)
{
try
{
req = new ActiveXObject("Microsoft.XMLHTTP");
}
catch(e) { req = false; }
}
}
if(req)
{
req.onreadystatechange = insertJS;
req.open("GET", url, true); req.send("");
}
}
function insertJS()
{
var code = req.getResponseText;
eval(code);
}
<script/>
So you call this method loadJS('http://remote-domain/test.js') and hope it works. No it doesn't! The same error "permission denied" will popup again.
Third attempt: request the remote scripts then define inline scripts using those script (failure)
So I use the previous code to request the scripts from different domain as above. But this time, instead of using the eval method, I create a DOM node to build an inline script tag: