Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 9 down vote favorite
6

How does Google's API make cross-domain requests back to Google, when it's on your website?

share|improve this question

5 Answers

up vote 9 down vote accepted

<script> tags work cross-domain. See also: JSONP

share|improve this answer
This answer is incorrect, they use iframes, see stackoverflow.com/a/15170008/977939 – jpillora Apr 14 at 6:31
up vote 9 down vote

They get around it by dynamically injecting script tags into the head of the document. The javascript that is sent down via this injection has a callback function in it that tells the script running in the page that it has loaded and the payload (data).

The script can then remove the dynamically injected script tag and continue.

share|improve this answer
up vote 0 down vote

AFAIK they use IFRAMEs.

share|improve this answer
1  
I Agree with you. Google should be using something similar to this, as they do a Post to their Calendar service using the Javascript library which is not possible in JSONp. +1 – Ramesh Sep 11 '09 at 12:40
1  
You can't get any data back from a cross-domain iframe though - you can post data, but you can't see any result. Since you can use GET arguments with jsonp which allows you to send the same thing as post (except files or large quantities of data), they almost certainly don't use iframes – tobyodavies Nov 26 '10 at 2:10
iframes are the 2nd stupidest invention ever. – Dhaivat Pandya Oct 18 '11 at 21:29
up vote 0 down vote

Another possibility is to use the window.name transport as described for the dojo framework here

share|improve this answer
up vote 0 down vote

The accepted answer is wrong. Ben is correct. Below is the actually iframe node pulled off a page using the Google API JavaScript Client.

<iframe name="oauth2relay678" id="oauth2relay678" 
        src="https://accounts.google.com/o/oauth2/postmessageRelay?
             parent=https%3A%2F%2Fwww.example.com.au#rpctoken=12345&amp;forcesecure=1" 
             style="width: 1px; height: 1px; position: absolute; left: -100px;">
</iframe>

Basic summary of how this works is here: http://ternarylabs.com/2011/03/27/secure-cross-domain-iframe-communication/. On modern browsers they utilize HTML postMessage to achieve communication, and on older browsers, they use a neat multiple-iframe-urlhash-read+write-combination hack. Ternary Labs have made a library which abstracts all the hacky stuff out, essentially giving you postMessage on all browsers.

One day I'll build ontop of this library to simplify cross-domain REST APIs...

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.