Home/ Questions/Q 8930383
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T08:52:56+00:00

I have built a content locker widget for members of my website. A content

  • 0

I have built a content locker widget for members of my website. A content locker forces a visitor to complete a survey before it redirects them.

Basically, I need to have Javascript make an Ajax request to my domain and redirect the user if the survey is finished. Let’s just say a PHP script will echo ‘1’ for complete and ‘0’ for incomplete.

This would be trivial normally, but users place the javascript code on THEIR websites, not mine. So I am worried about running into Cross-Scripting flags.

So how do Content lockers do this? I know this is possible because companies like Adscend Media have one.

Also, after designing their widget on my website, they put a code on their website with something like this:

<script type="text/javascript" src="http://mywebsite.com/js/w.php?i=6PS0D9"></script>

This goes in the head tag. Does including this script somehow make Cross-Scripting to my domain available since the script itself is on my domain?

Thanks for any help.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The basic issue you’re concerned about is the “same origin policy”, which is a policy followed by all major browsers to prevent web sites from making AJAX requests to other domains.

    However, the same-origin policy does not limit scripts brought in by <script> tags, which is why content lockers are able to serve any script files they want without issue. Incidentally, this is also how the “JSONP” workaround for the same-origin policy works.

    If you want to allow your customers to make cross-domain requests to your website, you can add their domain name to a special “crossdomain.xml” file on your site, and (current) browsers will allow those requests to work (I forget the name/path of the file, but it should be easy to look-up if you’re interested see here for more info: https://support.ookla.com/entries/21097566-what-is-crossdomain-xml-and-why-do-i-need-it).

    Alternatively your customers could setup a proxy to your server on their’s (probably not something they want to do). Or, you could just use JSONP, which is basically where:

    1. Your user runs JS that adds a script tag to the page; that script tag’s url is something like ‘yoursite.com/shouldILetThisGuyIn/’.
    2. Your server sends them back a JS file with something like var letThisGuyIn = true; function foo() { return letThisGuyIn }
    3. Your user runs ‘foo()’, and gets the result, determining whether to let that guy in or not.
    • 0