in reply to CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain)

If the point is to display random webpages within your own, why not use an <iframe>? That's what they're for.

If you incorporate someone else's page inside of your own verbatim, then, if said page has <script> elements on it, then whoever owns that page gains the ability to run arbitrary scripts in your own domain's browser context — remember that the owners of the website serving that page can change the contents of that page any time they want — meaning they can call your javascript functions with whatever arguments they want, read your cookies, and thus masquerade as and do anything that your own javascript can do. Which then means you either have to

  1. set things up so that your own javascript and your browser context can't actually do anything (in which case what is it you need javascript for in the first place, apart from incorporating the page?), or
  2. you have to parse their page and get rid of their <script> tags.

This is all before we get into how you're incorporating the page.

What is it you're actually trying to do?

  • Comment on Re: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain)

Replies are listed 'Best First'.
Re^2: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain)
by msinfo (Sexton) on Jun 07, 2013 at 02:44 UTC
    Hi wrog and Anonymous Monk;

    Your security remarks were helpful. I asked about cross domain, just for info, and won't be actually implementing it.

    What I want to do- I have demo project, which contains navigation links in header section, three divs in mid section, and footer with message. Whenever user clicks on links, content related to that link get generated in second div from another html file. And now at this point I want URL to be changed to www.homepage.com/navigation_link_name.

    Making user feel, that he is navigating tabs in a application.

    Is this achievable, or some thing is wrong with this kind of approach.

    Second, is XMLhttp+JavaScript = Ajax, then how I can do http related things done at this ink using CGI::Ajax. 

    http.open('get', 'http://www.myhostname.com/cgi-bin/myscript.pl?noca
+che='+now.getTime());
var response = http.responseText;
setTimeout('wipeout()', 2000);

    [download]

    I just pass out url to method, I get response, then I can print out whole document, or parse required element content.

    This is close to what I want to do. If I click CSS, or javascript or other link then upper portion remains same, content below navigation links changes. Also at the same time URL also changes.

[reply]
[d/l]
Re^2: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain)
by Anonymous Monk on Jun 06, 2013 at 23:33 UTC

    then whoever owns that page gains the ability to run arbitrary scripts in your own domain's browser context

    maybe, if the browser is configured to allow this

[reply]
      Actually no.

      If one interprets "ability to run scripts in your domain's browser context" to include the case where where your domain's browser context is explicitly broken so as to not allow scripts to actually do anything (i.e., not even execute any instructions), then it's still the case that everything your code can do, their code can do; it's just that since your code can no longer do anything, neither can theirs,…

      … which, I suppose, is one way to achieve absolute security, but not terribly useful if you actually wanted to do anything in javascript.

[reply]

        Actually no. ....

        According to what? Using what browser?

[reply]

In Section Seekers of Perl Wisdom