I found an interesting JS technique being used by spurl.net and a few
other sites, and implemented my own version of it. I like using it, but
I'm rather surprised it works at all.
One of my old backburner projects has been an online bookmark archive.
The obvious advantage of keeping bookmarks on a remote host is that
they are available from anywhere, not just the computer they were
bookmarked from.
My original approach was to use a page that would open a child window.
You'd surf in the child window and when you wanted to bookmark a site,
you'd switch to the parent window and hit a button. Worked great until
I tried to bookmark a site that was not in the same domain. That's how
I learned about the 'same domain' security policy 8-0
Spurl uses a small piece of JS code as a pseudo-url in a link, which
the user bookmarks, putting it on the browser's toolbar. When the user
clicks on the link on the toolbar, the JS code executes, opening a
window and calling a url, passing the current page's url and title in
the query string.
It's pretty slick really. But doesn't it seem to violate the 'same
domain' policy that keeps me from reading the title and url of a child
window?
I've implemented my own clone which asks for comments and keywords, and
doesn't save or submit until the user tells it to. But actually by the
time the user sees the popup contents, the server has already seen the
information. I also know it's possible to write one of these pseudo-url
popups to open and close a window without user intervention.
I really haven't taken the time to see just what other information one
of these popups can gather from the "current page" (never thought
about it until now) but the issue is that a little piece of code can
access the document object of a page across domains.
Any comments?
