Bilde

You can't do that! Wait, what's that, you say? Oh no, you're right! Now we're violating the same origin policy that we had been able to avoid before! Hold on a second, though. If my memory serves me correctly, I remember seeing a solution to this very problem when we were working on the new OpenSocial-based dashboard system in JIRA 4. There is an RPC system that allows the gadget - an iframe which in some circumstances is loaded from a different origin than the container - to send messages to the container. It has about 5 different implementations for all the different variations of browsers that are out there - it uses window.postMessage on all the latest browsers that support it, some funky VBScript for IE 6 & 7, a few other techniques for older Gecko and Webkit, and the fallback method using nested iframes. Could we use that? It's been developed and battle-tested by Google developers, and it would fit our needs perfectly. But how easy would it be to just drop it in?



As luck would have it, the Shindig RPC JavaScript code can be pretty easily adapted to run outside Shindig. All we needed to do was create an iframe that is loaded from the ActivityBar webapp, use that to do all of our Ajax requests and long polling with the ActivityBar server, and use the adapted Shindig RPC system to send messages between the application page and the iframe. Phew, disaster averted.