javascript - Same origin policy

Question

Maybe some of you can help me get a better understanding of the javascript same origin policy.

The same origin policy is defined as following (http://en.wikipedia.org/wiki/Same_origin_policy):

In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.

I have deployed a GWT application to the Google App Engine with url

http://metalsandstocks.appspot.com

Since GWT compiles all java into javascript this means my app is deployed as javascript. Since this is an ajax application I assumed that it would be required to abide by the same origin policy. The app uses ajax to make calls to a different domain(http://finance.yahoo.com)in order to get real-time stock quotes for dispaly to the user. The app works as described yet it has a different domain than the one it calls for it's updates. Does this app violate the same origin policy? Why or why not?

Answer 1

You can get Yahoo Finance using JSONP, so that is most definitely what you are using.

An example URL is...

http://d.yimg.com/autoc.finance.yahoo.com/autoc?query=Apple&callback=YAHOO.Finance.SymbolSuggest.ssCallback

When the request has loaded, it will call the callback you define in the GET param. This allows you to work around same origin policy, provided the service has support for JSONP.

Alternatively, some people use their server as a proxy.