What is the recommended way to distribute your Javascript client code? [closed]

https://stackoverflow.com/questions/22583723

19-06-2023
|

Pregunta

Closed. This question is opinion-based. It is not currently accepting answers.

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 9 years ago.

Improve this question

I am writting code for other domains to access my server. I am considering two options:

1) Using CORS and allowing the client pages to embed the JS code, being able to call functions and integrate the code to their page (like adding actions to their buttons -- but that's a plus, not a requirement, as my code may come with its own UI).

For example, the Discus Universal Code:

http://disqus.com/admin/universalcode/

<div id="disqus_thread"></div>
<script type="text/javascript">
    /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
    var disqus_shortname = ''; // required: replace example with your forum shortname

    /* * * DON'T EDIT BELOW THIS LINE * * */
    (function() {
        var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
        dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
        (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
    })();
</script>
<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>

2) Using a simple iFrame code so the client pages can embed it as well, but keeping a separation of domains.

From the point of view of a developer on the client side, what would you prefer? Would you be concerned about any security issues with JS+CORS?

EDIT

Possible duplicate

JSONP vs IFrame?

But question about security and developer-friendly option remains.

Solución

In my opinion it is much cleaner to distribute your code as an iframe and expose a postMessage API if for some reason your users need to interface with your code dynamically. This is more or less what facebook does except they have you pull in a js wrapper around the postmessage layer to help developers who aren't familiar with postmessage.

As a developer using someone elses library this makes me feel much safer as I'm not actually pulling in your code and giving it access to my application data, I'm instead able to count on the browser to sandbox your iframe and keep my users data private to me while keeping your code and data private to you.

Iframes have great security sandboxing and postmessage was created to allow safe interfacing between two pages with different domains, its simple and it works.

Licenciado bajo: CC-BY-SA con atribución

No afiliado a StackOverflow