At one point one has to step back and ask what the hell we've created.
I mean really: creating hidden iframes with onload actions that post to another domain. I don't know whether to be proud of our ingenuity or sad that this is the cutting edge of interprocess communication for the web.
This is pretty cool. (tl;dr summary: creates a hidden iframe with a form pointing to the remote domain, submits the form, and uses postMessage to send the result back to the parent frame.)
We experimented with something similar a while ago, but found that creating and destroying all those iframes could slow down older browsers. (Our use case potentially required sending requests relatively frequently.) Have you observed anything like that with this technique?
I've not done much profiling/performance (especially on older browsers) yet. My use case for the whole thing was to do a fire and forget POST to a separate domain.
Honestly, flash might be the best solution for something like you're talking about. I was just going for something with almost no dependencies that was stupidly simple.
Security is a big one here - doing a <Script src=> include from another domain might be really convenient for getting around cross-domain limits - but if that remote server has been compromised, or if it's run by dodgy individuals, they now have complete control of your webpage and can do incalculable damage to your business.
Hold up, aren't cross-domain requests disallowed for a good reason (security)? I get that Access-Control is unsupported in old IE, but gosh, doesn't it make way more sense?
The reason that cross-domain requests are disallowed has to do almost entirely with cookies. The concern is that since almost everyone uses cookies for identity, it is possible (without the cross-domain barrier) for a random web page to tell the browser to go fetch all their secret data and then return it to the malicious page.
This whole thing isn't an issue any longer if the server containing the secret data is expecting random people to access it and implements auth with something more than cookies. Take a look at Twitter and Facebook. They both allow cross-domain requests.
janky.post will only work if the server is expecting the request (it won't allow arbitrary requests to anything on the remote server) and then, it's up to the remote site's engineers to make these endpoints secure.
I mean really: creating hidden iframes with onload actions that post to another domain. I don't know whether to be proud of our ingenuity or sad that this is the cutting edge of interprocess communication for the web.