How does dojo/request/iframe work?

Question

I am slowly getting better at the whole Javascript/Dojo world. But, I am confused by the whole dojo/request/iframe business. I know that in Javascript you can only connect to the origin server for security reasons. That's a given. However, when people start taking about "using iframes to get around that", I get very lost.

Dojo/resources/blank.html:

• contains <html><head><script>isLoaded = true;</script></head><body></body></html>
• Needs to be hosted by the same server that has your application. So, if you use dojo from a CDN, you need to have this blank.html file saved on the same server where the application is coming from

The page http://livedocs.dojotoolkit.org/dojo/request/iframe explains, about iframe:

• Calling a service on a server other than the one that originated the calling page (cross-domain request). Note that in this case, the response body cannot be read: you can send data, but not get any replies. If you need access to the return data, see dojo/request/script.

• Uploading files from a form (e.g. file input controls). The normal XHR mechanism cannot access file data referenced by file selection tags as a security measure. dojo/request/iframe can by proxying those calls through an IFrame, making it possible to still do file uploads in an asynchronous manner.

How does an empty HTML page help me with this? (Well, one that sets a global variable "isLoaded"...?)

Also, after explaining in the two points above that you cannot retrieve the response, the documentation continues with:

• An example of making a request to retrieve some XML would look like:

So... you can retrieve?

I think I need to go one step back and really understand the whole "using an iframe to get around cross-domain request" as well as actually understand the issue that "normal XHR mechanisms" (what mechanisms?) cannot access data references by the selection tags (what selection tags? And isn't the data in the request body anyway?) can proxy those callls through an iFrame (you mean a single empty file that sets isLoaded?!? )

I am very confused... and lost. Can somebody give me a bit of direction?

Thank you...

Merc.

Answer 1

Well, I don't know about the blank.html page, but the second part of your question is something I understand. As far as I know, most (all) browsers deny cross-domain requests from XHR/JavaScript and neither can they send data from file upload form elements due to security reasons. If it was possible, hackers could (by injecting some JavaScript) do horrible things like sending data to other domains or read uploaded files.

To get around this issue you can use iframes. Iframes CAN load cross-domain pages, however the problem is that you can not simply access the content of an iframe if it's a cross domain request. However, with JavaScript you can set the source of the iframe and thus you can send data through an iframe.

The same thing with files, you cannot send it directly, but you can send them through iframes, because you can manipulate what iframes do (and send data).

So TL;DR: Browsers block certain things that you can do with JavaScript like:

• Sending data through XHR that is cross-domain
• Read file data through XHR
• Reading iframe data that is cross-domain

So you CAN do the following:

• Send data that is cross-domain through an iframe
• Read file data through an iframe
• Read iframe that that is not cross-domain

So you can indeed read a file with the iframe dojo module as long as it is not a cross-domain request.

I hope I explained it good enough to understand.