Janky.post: Making cross-domain possible in javascript one request at a time

At one point one has to step back and ask what the hell we've created.<p>I mean really: creating hidden iframes with onload actions that post to another domain. I don't know whether to be proud of our ingenuity or sad that this is the cutting edge of interprocess communication for the web.

This is pretty cool. (tl;dr summary: creates a hidden iframe with a form pointing to the remote domain, submits the form, and uses postMessage to send the result back to the parent frame.)<p>We experimented with something similar a while ago, but found that creating and destroying all those iframes could slow down older browsers. (Our use case potentially required sending requests relatively frequently.) Have you observed anything like that with this technique?

Security is a big one here - doing a &#60;Script src=&#62; include from another domain might be really convenient for getting around cross-domain limits - but if that remote server has been compromised, or if it's run by dodgy individuals, they now have complete control of your webpage and can do incalculable damage to your business.

Hold up, aren't cross-domain requests disallowed for a good reason (security)? I get that Access-Control is unsupported in old IE, but gosh, doesn't it make way more sense?

Pretty interesting, but it seems like it doesn't work with FF4 b8.<p>Since it uses an iframe, it'll be interesting to know what happens on a site that detects that.