How is it that tools like this one can make an ajax style call back to a central site? basically they give you a ‘ tag to put on your site where ever it is. So in this widget you have the ability to ask for an email to be sent to you for the page you’re currently on. I assume this makes an ajax style call back to share this who sends out the email. But how can they do this with out a proxy on your server and without the browser blocking it as an XSS exploit?
Any answers on this would be greatly appreciated thank you for your help. I assume working with the Flickr API would present the same challenges?
Link from the title : http://sharethis.com/
They give you a script to include in your site. This script has full access to the DOM and your cookies. In order for it to call back to their site, they use a technique called JSONP. The script that you included, adds another script with parameters in the querystring. The server then returns JSON (which is just JavaScript), and the data is extracted.
If you are building mashups, you have to trust that these widgets aren’t going to do something malicious like steal your cookies. There will be better support for safe XSS in IE 8.