I created a javascript library that enables sending javascript messages between browser pages that reside on different domains.
The listener can register a number of callbacks and allow specific domains to call these callbacks.
This is done via evil cookie magic, but it seems to work. I'd be very interested in feedback. Do you have security concerns? is this a novel idea?
A demo can be seen here and the library is here
Also, your demo page shows different subdomains of the same domain; IIRC, some browser(s) only restrict access to the first level above the TLD ? Have you verified between, say, yahoo.com and google.com ?
Re:Do you read Ajaxian ?
malte on 2008-02-24T00:01:51
Do you mean the postMessage() article? That's similar, but it is only implemented in opera as far as I know.
xssinterface works across different top-level and second level-domains because it asks a url from the destination domain to set the cookie.
