This repository has been archived by the owner on Feb 12, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
secure_jsonp.js
241 lines (212 loc) · 11.4 KB
/
secure_jsonp.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
/**
* BSD License
*
* Copyright (c) 2011, Salesforce Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
*
* -Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* -Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
**/
(function($){
$(document).ready(function() {
var
// ### Start configuration defaults ###
// a separate domain or subdomain whose security we do not care about (e.g. no user cookie)
// from which to make the jsonp calls
DIFFERENT_DOMAIN = 'http://127.0.0.1',
PATH_TO_IFRAME_HTML = '/secure_jsonp_iframe.html',
// ### End configuration defaults ###
// the namespace/prefix to use on our iframe id(s)
IFRAME_ID_PREFIX = "secure_jsonp_",
// if postmessage is available in this browser
POSTMESSAGE_AVAILABLE = 'postMessage' in window,
// used to delineate discreate pieces of information in the request message
MESSAGE_SEPARATOR = "!:!",
// message sent from child in indicate loading complete
IFRAME_LOADED_MESSAGE = "loaded";
var BaseImplementation = function() {};
BaseImplementation.prototype =
{
initialize: function() {
throw "initialize must be implemented";
},
makeRequest: function() {
throw "makeRequest must be implemented";
}
}
var PostMessageImplementation = function() {
// is our child iframe ready to receive messages
this.iframeLoaded = false;
// a map of request ids to associated callback functions
this.requestIdToCallback = {};
// keep a list of all requests that happen before we receive the loaded
// message from the child
this.requestsBeforeIframeLoaded = [];
// the iframe we'll use to send requests
this.iframe = null;
// the next request id sent to the child iframe
this.nextRequestId = 0;
};
PostMessageImplementation.prototype = new BaseImplementation();
$.extend(PostMessageImplementation.prototype, {
_attachPostmessageListener : function(receiveCallback) {
if (window.addEventListener) {
window.addEventListener("message", receiveCallback, false);
}
else if (window.attachEvent) {
window.attachEvent("onmessage", receiveCallback);
}
},
_createIframe: function(iframeSource) {
var iframe = $('<iframe></iframe>');
iframe.attr("src", iframeSource);
iframe.css("display", "none");
iframe.appendTo($('body'));
return iframe;
},
_receiveMessage: function(event)
{
if (event.origin !== DIFFERENT_DOMAIN) {
throw ("Message received from " + event.origin + " but only " +
DIFFERENT_DOMAIN + " is approved");
}
if(!this.iframeLoaded && event.data === IFRAME_LOADED_MESSAGE) {
this.iframeLoaded = true;
this._sendPendingRequests(this.iframe[0]);
return;
}
var result = JSON.parse(event.data);
var requestId = result[0];
var data = result[1];
this.requestIdToCallback[requestId](data);
// cleanup
delete this.requestIdToCallback[requestId];
},
_sendPendingRequests: function(iframe) {
var that = this;
$.each(this.requestsBeforeIframeLoaded, function(i) {
iframe.contentWindow.postMessage(that.requestsBeforeIframeLoaded[i], DIFFERENT_DOMAIN);
});
// reset pending requests
this.requestsBeforeIframeLoaded = [];
},
initialize: function() {
var that = this;
this.iframe = this._createIframe(DIFFERENT_DOMAIN + PATH_TO_IFRAME_HTML);
this._attachPostmessageListener(function(event){that._receiveMessage(event)});
},
makeRequest: function(url, callback, options) {
this.requestIdToCallback[this.nextRequestId.toString()] = callback;
options = JSON.stringify(options || "{}");
var request = (this.nextRequestId + MESSAGE_SEPARATOR + options + MESSAGE_SEPARATOR + url);
// to find when the iframe is loaded we are going to wait for a postmessage
// that the child sends us when finished loading. The .load() and .ready() functions
// do not function properly and trigger before loading is complete,
// resulting in lost messages. They may not be able to detect
// loading completion because the iframe is on a separate domain.
if(this.iframeLoaded) {
this.iframe[0].contentWindow.postMessage(request, DIFFERENT_DOMAIN);
} else {
this.requestsBeforeIframeLoaded.push(request);
}
this.nextRequestId += 1;
}
});
var WindowNameImplementation = function() {
// the unique id to assign to the next iframe request
this.nextIframeId = 0;
// a globally accessible place to store the callback functions
// it is necessary to make this globally accessible for function
// to call in IE7
$._secureJsonpCallbacks = {};
}
WindowNameImplementation.prototype = new BaseImplementation();
$.extend(WindowNameImplementation.prototype, {
// a wrapper around the iframeOnload function to preserve the
// iframeId through closure
_makeOnloadFunction: function(iframeId, callback) {
var that = this;
return function() {
that._iframeOnload(iframeId, callback);
}
},
_createIframe: function(url) {
// must set the onload function here for IE to work correctly.
// and this onload function must be globally accessible to be reached.
// it does not work to directly attaching the onload function
// NB: get rid of clicks (that occur whenever an iframe's location changes)
// in IE by detaching iframe from main document.
// see: http://grack.com/blog/2009/07/28/a-quieter-window-name-transport-for-ie/
var iframe = $('<iframe id="' + IFRAME_ID_PREFIX + this.nextIframeId + '" onload="$._secureJsonpCallbacks[' + this.nextIframeId + ']()" style="display:none;"/>');
// add the iframe to the DOM before setting its source so
// it doesn't hang older browsers
iframe.appendTo('body');
iframe.attr('src', url);
this.nextIframeId += 1;
return iframe;
},
// the function that is called when the child iframe returns back
// if postmessage is not available
_iframeOnload: function(iframeId, callback){
var iframe = document.getElementById(IFRAME_ID_PREFIX + iframeId);
// on the initial iframe load, it will be on a different
// domain (to make the jsonp call) and we won't have the
// result, so this onload function should return silently
// without doing anything.
// TODO: this is not unexpected so don't raise an exception
try {
var result = iframe.contentWindow.name;
} catch(e) {
// we errored out because the iframe loaded on a domain we don't control
// so we couldn't check the name property.
return;
}
result = JSON.parse(result);
callback(result);
// now remove the iframe and delete the reference to the callback
iframe.parentNode.removeChild(iframe);
delete $._secureJsonpCallbacks[iframeId];
},
initialize: function() {
},
makeRequest: function(url, callback, options) {
options = JSON.stringify(options || "{}");
var request = encodeURIComponent(options + MESSAGE_SEPARATOR + url);
var url = DIFFERENT_DOMAIN + PATH_TO_IFRAME_HTML + '#' + request;
// first we need to make callback globally accessible for IE 7
$._secureJsonpCallbacks[this.nextIframeId] = this._makeOnloadFunction(this.nextIframeId,
callback);
this._createIframe(url);
}
});
var SecureJsonp = function() {
var implementation,
// have we run initialize yet
initialized = false;
if(POSTMESSAGE_AVAILABLE) {
implementation = new PostMessageImplementation();
} else {
implementation = new WindowNameImplementation();
}
return {
initialize: function(configuration) {
DIFFERENT_DOMAIN = configuration.differentDomain || DIFFERENT_DOMAIN;
PATH_TO_IFRAME_HTML = configuration.pathToIframeHtml || PATH_TO_IFRAME_HTML;
implementation.initialize();
initialized = true;
},
makeRequest: function(url, callback, options) {
if(!initialized) {
throw "You must call initialize before makeRequest";
}
implementation.makeRequest(url, callback, options);
}
}
}
// attach to the global namespace
$.secureJsonp = new SecureJsonp();
});
})(window.jQuery || window.$);