Ben Vinegar Anton Kovalyov FOREWORD BY Paul Irish M A N N I N G www.it-ebooks.info Third-Party JavaScript www.it-ebooks.info www.it-ebooks.info Third-Party JavaScript BEN VINEGAR ANTON KOVALYOV MANNING Shelter Island www.it-ebooks.info For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 261 Shelter Island, NY 11964 Email: [email protected] ©2013 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Manning Publications Co. Development editor: Renae Gregoire 20 Baldwin Road Technical proofreaders: Alex Sexton, John J. Ryan III PO Box 261 Copyeditor: Benjamin Berg Shelter Island, NY 11964 Proofreader: Katie Tennant Typesetter: Dottie Marsico Cover designer: Marija Tudor ISBN 9781617290541 Printed in the United States of America 1 2 3 4 5 6 7 8 9 10 – MAL – 18 17 16 15 14 13 www.it-ebooks.info brief contents 1 ■ Introduction to third-party JavaScript 1 2 ■ Distributing and loading your application 21 3 ■ Rendering HTML and CSS 48 4 ■ Communicating with the server 77 5 ■ Cross-domain iframe messaging 105 6 ■ Authentication and sessions 131 7 ■ Security 152 8 ■ Developing a third-party JavaScript SDK 172 9 ■ Performance 202 10 ■ Debugging and testing 224 v www.it-ebooks.info www.it-ebooks.info contents foreword xii preface xv acknowledgments xvii about this book xix about the authors xxii about the cover illustration xxiii 1 Introduction to third-party JavaScript 1 1.1 Defining third-party JavaScript 2 1.2 The many uses of third-party JavaScript 4 Embedded widgets 6 ■ Analytics and metrics 8 Web service API wrappers 10 1.3 Developing a bare-bones widget 13 Server-side JavaScript generation 14 ■ Distributing widgets as iframes 16 1.4 Challenges of third-party development 17 Unknown context 17 ■ Shared environment 18 Browser restrictions 19 1.5 Summary 20 vii www.it-ebooks.info viii CONTENTS 2 Distributing and loading your application 21 2.1 Configuring your environment for third-party development 22 Publisher test page 23 ■ The web server 23 ■ Simulating multiple domains 24 2.2 Loading the initial script 26 Blocking script includes 26 ■ Nonblocking scripts with async and defer 27 ■ Dynamic script insertion 29 2.3 The initial script file 31 Aliasing window and undefined 31 ■ Basic application flow 32 2.4 Loading additional files 33 JavaScript files 34 ■ Libraries 36 2.5 Passing script arguments 38 Using the query string 38 ■ Using the fragment identifier 41 Using custom data attributes 42 ■ Using global variables 43 2.6 Fetching application data 45 2.7 Summary 47 3 Rendering HTML and CSS 48 3.1 Outputting HTML 49 Using document.write 49 ■ Appending to a known location 50 Appending multiple widgets 52 ■ Decoupling render targets 54 3.2 Styling your HTML 55 Using inline styles 55 ■ Loading CSS files 56 ■ Embedding CSS in JavaScript 58 3.3 Defensive HTML and CSS 61 Namespaces 61 ■ CSS specificity 62 ■ Overspecifying CSS 64 3.4 Embedding content in iframes 66 Src-less iframes 68 ■ External iframes 70 ■ Inheriting styles 71 ■ When to refrain from using iframes? 75 3.5 Summary 76 4 Communicating with the server 77 4.1 AJAX and the browser same-origin policy 78 Rules for determining same origin 80 ■ Same-origin policy and script loading 80 www.it-ebooks.info CONTENTS ix 4.2 JSON with padding (JSONP) 82 Loading JSON via script elements 82 ■ Dynamic callback functions 84 ■ Limitations and security concerns 86 4.3 Subdomain proxies 88 Changing a document’s origin using document.domain 89 Cross-origin messaging using subdomain proxies 91 Combining subdomain proxies with JSONP 94 ■ Internet Explorer and subdomain proxies 97 ■ Security implications 98 4.4 Cross-origin resource sharing 99 Sending simple HTTP requests 99 ■ Transferring cookies with CORS 102 ■ Sending preflight requests 102 Browser support 103 4.5 Summary 104 5 Cross-domain iframe messaging 105 5.1 HTML5 window.postMessage API 106 Sending messages using window.postMessage 107 Receiving messages sent to a window 109 ■ Browser support 110 5.2 Fallback techniques 112 Sending messages using window.name 112 ■ Sending messages using the URL fragment identifier 115 ■ Sending messages using Flash 118 5.3 Simple cross-domain messaging with easyXDM 120 Loading and initializing easyXDM 121 ■ Sending simple messages using easyXDM.Socket 123 ■ Defining JSON-RPC interfaces using easyXDM.Rpc 125 5.4 Summary 129 6 Authentication and sessions 131 6.1 Third-party cookies 132 Setting and reading sessions 133 ■ Disabling third-party cookies 134 ■ Internet Explorer and P3P headers 136 Detecting when cookies are unavailable 138 6.2 Setting third-party cookies 140 Using dedicated windows 141 ■ Iframe workaround (Safari only) 144 ■ Single-page sessions for Chrome and Firefox 146 www.it-ebooks.info