Lets Solve Cross-domain Ajax, Totally On The Client, Using Script Tags

I know, there's JSONP, which involves server cooperation to name-space the data. What is bothering me is the fact that the content of script tag src is evaluated, but it's NOT avai

Solution 1:

HTML5 provides window.postMessage which provides a mechanism for safe cross domain messaging, and is supported by Firefox 3, Opera 9.6, and WebKit nightlies.

That said your suggestion above cannot work because it requires fundamentally different behaviour from javascript's eval. eval parses and executes the given string in the current context -- what you're requesting is that eval change the actual code of the containing function. eg.

 for (var i = 0; i < 10; i++) eval("; doSomething();");

would become

 for (var i = 0; i < 10; i++) ; doSomething();;

meaning the for-loop becomes empty, and doSomething would only be called once. Clearly this would result in incredibly difficult to comprehend semantics, as well as making it substantially less safe to use, as eval would gain the ability to directly influence control flow.

Solution 2:

I'm not sure this is at all possible due to browser security policies.

Solution 3:

I'm inclined to say leave it. These kind of issues will be solved, but not by hacking around what we already have. The web is fundamentally broken in that regard. The fact that any script from one domain can be executed on another is a severe security vulnerability that will hamper the growth of the web if left unchecked.

http://www.slideshare.net/webdirections/douglas-crockford-ajax-security-presentation