CSSHttpRequest is cross-domain AJAX using CSS

[kwamenum86]

I have always thought this project is interesting but why use it over JSONP? For starters, JSONP is as close as you can get to be a standard for cross-browser scripting. Additionally, it seems somewhat clumsy and there has got to be some limitation on the information the data URI scheme can communicate. I have always admired the other though because I think this is an extremely clever hack.

[csytan]

This seems to be the main advantage:

"Unlike JSONP, untrusted third-party JavaScript cannot execute in the context of the calling page."

Edit: It looks like they create an iframe, load the css, and parse the data using javascript, so it seems to be fairly safe.

[qeorge]

Executing "untrusted" 3rd party JavaScript in the context of the calling page is the whole point of JSONP.

Cool hack, but I don't see where this is useful.

[petewarden]

I want data from a 3rd party API _not_ code. If I call Google's search API I want to get back an array of search results, but they can run arbitrary code on my page if they feel like it.

I want them to call back my supplied function with the data. That I have to allow them to execute arbitrary code they supply to do that is a flaw.

Having said that, using CSS as the delivery mechanism seems pretty exotic, so I'm not advocating this as the solution, but there is a problem out there.

[kwamenum86]

You could just not make js requests to untrusted 3rd parties...but point taken...sort of

[kitcar]

Could either CSSHttpRequest or JSONP be used to determine what URL an iFrame contains? (assuming the user has navigated within the iFrame beyond the initial page defined in the iFrame property)

[mikeytown2]

I can't think of a use case for this, but it's still really cool.