Yes, but one has always been able to load JavaScript from any server -- the script tag src attribute has no cross-domain restrictions. This is standard protocol by even the most advanced JavaScript libraries. Loading Google hosted libraries, for example ( https://developers.google.com/speed/libraries/), is done this way. As are all ads.
Thus, there is no safety in any site that has been hacked by an intruder on the host server. (Which is what I think you mean by "plant a link on a perfectly respectable web page.") That's not what the AJAX cross-domain business is trying to prevent. My understanding of what that is trying to prevent is for actions by ads and other add-ons embedded within a page to have access to cross-domain page resources -- looking at passwords and such. Without this restriction, for example, an ad might completely rewrite an accompanying page or insert just the sort of links you are referring to. Jmol could in principle function reasonably well using just standard cross-domain script tags to load its code. The only reason that is not done is that that requires an asynchronous mechanism -- a callback indicating that the code is loaded. The problem with that is that it makes reflection (on-call loading of modules) nearly impossible when that need appears deep into a series of nested function calls. JSmol does have built into it an experimental mechanism for this, but it's not fully functional yet. What's happening in this particular case is just that chemapps.stolaf.edu requires jsmol.php to add the access-control-allow-origin header to the JavaScript files on that site in order to load them synchronously. I think, though, we are seeing a move to have hosted libraries such as those from Google, and that requires cross-domain scripting. In general, I agree with this statement: *Always host a copy of the scripts on your own domain and serve them from there. It also gives you a more reliable site. * However, that presents its own security issues. Part of the idea of hosted libraries is that if security flaws are found, then they can by corrected once at one site and not require widespread distribution and fixes at innumerable sites. Bob
------------------------------------------------------------------------------
_______________________________________________ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
