PART II
Chapter 9: Site and Application Architecture with Ajax 421
{
script.onreadystatechange = function() {
if (this.readyState == "complete")
callback.call(this);
}
}
script.src = request.url;
script.type = "text/javascript";
document.body.appendChild(script);
},_handleScriptResponse : function(response){
response.httpStatus = 200;
response.httpStatusText = "OK";response.responseText = "";
response.responseXML = null;
AjaxTCR.comm._handleResponse(response);
},NNOT EOTE You might wonder why the transport indicator in the code is HTMLScriptTag and not
simply script. The reason is to try to avoid being filtered by Web application firewalls or other
application defense mechanisms that may scan for the word script as a value in a payload when
protecting against an XSS attack. You can change it if you like by modifying DEFAULT_
SCRIPT_TRANSPORT_VALUE.The most complicated, and useful, of the alternate transport mechanisms is the iframe
mechanism, because it can not only be used for GET requests, but also for POSTs. The code
for POST is quite a bit more complicated as it makes an iframe, creates a form within the
iframe, and adds in text fields set to the name-value pairs to send to the server. Cross-browser
quirks only add to the code bloat._sendIframe : function(request){
/* use unique ID for transport iframe */
var iframeID = AjaxTCR.comm.util.misc.generateUID("AjaxTCRIframe_");
/* IE does not handle document.createElement("iframe"); */
if(window.ActiveXObject)
var iframe = document.createElement('<iframe id="' + iframeID + '"
name="' + iframeID + '" />');
else
{
var iframe = document.createElement("iframe");
iframe.id = iframeID;
iframe.name = iframeID;
}
/* make sure iframe doesn’t cause trouble visually */
iframe.style.height = "1px";
iframe.style.visibility = "hidden";/* add iframe to document */
document.body.appendChild(iframe);