// Copyright 2006 The Closure Library Authors. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS-IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // The original file lives here: http://go/cross_domain_channel.js /** * @fileoverview Implements a cross-domain communication channel. A * typical web page is prevented by browser security from sending * request, such as a XMLHttpRequest, to other servers than the ones * from which it came. The Jsonp class provides a workaround by * using dynamically generated script tags. Typical usage:. * * var jsonp = new goog.net.Jsonp(new goog.Uri('http://my.host.com/servlet')); * var payload = { 'foo': 1, 'bar': true }; * jsonp.send(payload, function(reply) { alert(reply) }); * * This script works in all browsers that are currently supported by * the Google Maps API, which is IE 6.0+, Firefox 0.8+, Safari 1.2.4+, * Netscape 7.1+, Mozilla 1.4+, Opera 8.02+. * */ goog.provide('goog.net.Jsonp'); goog.require('goog.Uri'); goog.require('goog.net.jsloader'); // WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING // // This class allows us (Google) to send data from non-Google and thus // UNTRUSTED pages to our servers. Under NO CIRCUMSTANCES return // anything sensitive, such as session or cookie specific data. Return // only data that you want parties external to Google to have. Also // NEVER use this method to send data from web pages to untrusted // servers, or redirects to unknown servers (www.google.com/cache, // /q=xx&btnl, /url, www.googlepages.com, etc.) // // WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING /** * Creates a new cross domain channel that sends data to the specified * host URL. By default, if no reply arrives within 5s, the channel * assumes the call failed to complete successfully. * * @param {goog.Uri|string} uri The Uri of the server side code that receives * data posted through this channel (e.g., * "http://maps.google.com/maps/geo"). * * @param {string=} opt_callbackParamName The parameter name that is used to * specify the callback. Defaults to "callback". * * @constructor * @final */ goog.net.Jsonp = function(uri, opt_callbackParamName) { /** * The uri_ object will be used to encode the payload that is sent to the * server. * @type {goog.Uri} * @private */ this.uri_ = new goog.Uri(uri); /** * This is the callback parameter name that is added to the uri. * @type {string} * @private */ this.callbackParamName_ = opt_callbackParamName ? opt_callbackParamName : 'callback'; /** * The length of time, in milliseconds, this channel is prepared * to wait for for a request to complete. The default value is 5 seconds. * @type {number} * @private */ this.timeout_ = 5000; /** * The nonce to use in the dynamically generated script tags. This is used for * allowing the script callbacks to execute when the page has an enforced * Content Security Policy. * @type {string} * @private */ this.nonce_ = ''; }; /** * The prefix for the callback name which will be stored on goog.global. */ goog.net.Jsonp.CALLBACKS = '_callbacks_'; /** * Used to generate unique callback IDs. The counter must be global because * all channels share a common callback object. * @private */ goog.net.Jsonp.scriptCounter_ = 0; /** * Static private method which returns the global unique callback id. * * @param {string} id The id of the script node. * @return {string} A global unique id used to store callback on goog.global * object. * @private */ goog.net.Jsonp.getCallbackId_ = function(id) { return goog.net.Jsonp.CALLBACKS + '__' + id; }; /** * Sets the length of time, in milliseconds, this channel is prepared * to wait for for a request to complete. If the call is not competed * within the set time span, it is assumed to have failed. To wait * indefinitely for a request to complete set the timout to a negative * number. * * @param {number} timeout The length of time before calls are * interrupted. */ goog.net.Jsonp.prototype.setRequestTimeout = function(timeout) { this.timeout_ = timeout; }; /** * Returns the current timeout value, in milliseconds. * * @return {number} The timeout value. */ goog.net.Jsonp.prototype.getRequestTimeout = function() { return this.timeout_; }; /** * Sets the nonce value for CSP. This nonce value will be added to any created * script elements and must match the nonce provided in the * Content-Security-Policy header sent by the server for the callback to pass * CSP enforcement. * * @param {string} nonce The CSP nonce value. */ goog.net.Jsonp.prototype.setNonce = function(nonce) { this.nonce_ = nonce; }; /** * Sends the given payload to the URL specified at the construction * time. The reply is delivered to the given replyCallback. If the * errorCallback is specified and the reply does not arrive within the * timeout period set on this channel, the errorCallback is invoked * with the original payload. * * If no reply callback is specified, then the response is expected to * consist of calls to globally registered functions. No &callback= * URL parameter will be sent in the request, and the script element * will be cleaned up after the timeout. * * @param {Object=} opt_payload Name-value pairs. If given, these will be * added as parameters to the supplied URI as GET parameters to the * given server URI. * * @param {Function=} opt_replyCallback A function expecting one * argument, called when the reply arrives, with the response data. * * @param {Function=} opt_errorCallback A function expecting one * argument, called on timeout, with the payload (if given), otherwise * null. * * @param {string=} opt_callbackParamValue Value to be used as the * parameter value for the callback parameter (callbackParamName). * To be used when the value needs to be fixed by the client for a * particular request, to make use of the cached responses for the request. * NOTE: If multiple requests are made with the same * opt_callbackParamValue, only the last call will work whenever the * response comes back. * * @return {!Object} A request descriptor that may be used to cancel this * transmission, or null, if the message may not be cancelled. */ goog.net.Jsonp.prototype.send = function( opt_payload, opt_replyCallback, opt_errorCallback, opt_callbackParamValue) { var payload = opt_payload || null; var id = opt_callbackParamValue || '_' + (goog.net.Jsonp.scriptCounter_++).toString(36) + goog.now().toString(36); var callbackId = goog.net.Jsonp.getCallbackId_(id); // Create a new Uri object onto which this payload will be added var uri = this.uri_.clone(); if (payload) { goog.net.Jsonp.addPayloadToUri_(payload, uri); } if (opt_replyCallback) { var reply = goog.net.Jsonp.newReplyHandler_(id, opt_replyCallback); // Register the callback on goog.global to make it discoverable // by jsonp response. goog.global[callbackId] = reply; uri.setParameterValues(this.callbackParamName_, callbackId); } var options = {timeout: this.timeout_, cleanupWhenDone: true}; if (this.nonce_) { options.attributes = {'nonce': this.nonce_}; } var deferred = goog.net.jsloader.load(uri.toString(), options); var error = goog.net.Jsonp.newErrorHandler_(id, payload, opt_errorCallback); deferred.addErrback(error); return {id_: id, deferred_: deferred}; }; /** * Cancels a given request. The request must be exactly the object returned by * the send method. * * @param {Object} request The request object returned by the send method. */ goog.net.Jsonp.prototype.cancel = function(request) { if (request) { if (request.deferred_) { request.deferred_.cancel(); } if (request.id_) { goog.net.Jsonp.cleanup_(request.id_, false); } } }; /** * Creates a timeout callback that calls the given timeoutCallback with the * original payload. * * @param {string} id The id of the script node. * @param {Object} payload The payload that was sent to the server. * @param {Function=} opt_errorCallback The function called on timeout. * @return {!Function} A zero argument function that handles callback duties. * @private */ goog.net.Jsonp.newErrorHandler_ = function(id, payload, opt_errorCallback) { /** * When we call across domains with a request, this function is the * timeout handler. Once it's done executing the user-specified * error-handler, it removes the script node and original function. */ return function() { goog.net.Jsonp.cleanup_(id, false); if (opt_errorCallback) { opt_errorCallback(payload); } }; }; /** * Creates a reply callback that calls the given replyCallback with data * returned by the server. * * @param {string} id The id of the script node. * @param {Function} replyCallback The function called on reply. * @return {!Function} A reply callback function. * @private */ goog.net.Jsonp.newReplyHandler_ = function(id, replyCallback) { /** * This function is the handler for the all-is-well response. It * clears the error timeout handler, calls the user's handler, then * removes the script node and itself. * * @param {...Object} var_args The response data sent from the server. */ var handler = function(var_args) { goog.net.Jsonp.cleanup_(id, true); replyCallback.apply(undefined, arguments); }; return handler; }; /** * Removes the reply handler registered on goog.global object. * * @param {string} id The id of the script node to be removed. * @param {boolean} deleteReplyHandler If true, delete the reply handler * instead of setting it to nullFunction (if we know the callback could * never be called again). * @private */ goog.net.Jsonp.cleanup_ = function(id, deleteReplyHandler) { var callbackId = goog.net.Jsonp.getCallbackId_(id); if (goog.global[callbackId]) { if (deleteReplyHandler) { try { delete goog.global[callbackId]; } catch (e) { // NOTE: Workaround to delete property on 'window' in IE <= 8, see: // http://stackoverflow.com/questions/1073414/deleting-a-window-property-in-ie goog.global[callbackId] = undefined; } } else { // Removing the script tag doesn't necessarily prevent the script // from firing, so we make the callback a noop. goog.global[callbackId] = goog.nullFunction; } } }; /** * Returns URL encoded payload. The payload should be a map of name-value * pairs, in the form {"foo": 1, "bar": true, ...}. If the map is empty, * the URI will be unchanged. * *

The method uses hasOwnProperty() to assure the properties are on the * object, not on its prototype. * * @param {!Object} payload A map of value name pairs to be encoded. * A value may be specified as an array, in which case a query parameter * will be created for each value, e.g.: * {"foo": [1,2]} will encode to "foo=1&foo=2". * * @param {!goog.Uri} uri A Uri object onto which the payload key value pairs * will be encoded. * * @return {!goog.Uri} A reference to the Uri sent as a parameter. * @private */ goog.net.Jsonp.addPayloadToUri_ = function(payload, uri) { for (var name in payload) { // NOTE(user): Safari/1.3 doesn't have hasOwnProperty(). In that // case, we iterate over all properties as a very lame workaround. if (!payload.hasOwnProperty || payload.hasOwnProperty(name)) { uri.setParameterValues(name, payload[name]); } } return uri; }; // WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING // // This class allows us (Google) to send data from non-Google and thus // UNTRUSTED pages to our servers. Under NO CIRCUMSTANCES return // anything sensitive, such as session or cookie specific data. Return // only data that you want parties external to Google to have. Also // NEVER use this method to send data from web pages to untrusted // servers, or redirects to unknown servers (www.google.com/cache, // /q=xx&btnl, /url, www.googlepages.com, etc.) // // WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING