embedding application to a web page

can you embed an itmill ajax application directly to some other web page?

do you have an example how to do this?

and what about xss? do I have to install them (page and app) on the same server or domain or can run remote applications?

Embedding is easy - just cut-n-paste the html initialization code generated by the toolkit (first run the application without embedding and see the source generated).

You are correct about xss - both page and application must come from the same server. There are some tricks, how to loose the xss limits to “same domain” from same server.

One practical solution is also to use iframes for embedding application. This way there are no xss problems at all.

ok, based this i managed to get things working with the sample application like this:

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<script type="text/javascript" src="/Calc/RES/corporate/script/compiledjavascript.js"></script>
<link rel="stylesheet" href="/Calc/RES/corporate/css/compiledstyle.css" type="text/css" />
<link rel="stylesheet" href="styles.css" type="text/css" />
<body class="itmtk">
				<div class="panel">
						<li class="first" id="features">
							<a href="integration/">Integration</a>
						<li id="build">
							<a href="build/">Build</a>
						<li id="collaboration" class="on">
							<a href="collaboration/">Collaboration</a>
				<div class="panel">
					<div id="application" class="application"></div>
				<div id="ajax-wait">Loading...</div>
				<script type="text/javascript">
					itmill.tmp = new itmill.Client(document.getElementById('application'),"/Calc/UIDL/","/Calc/RES/corporate/client/",document.getElementById('ajax-wait'));
					 (new itmill.themes.Corporate("/Calc/RES/corporate/")).registerTo(itmill.tmp);
					delete itmill.tmp;

just remember the correct style for body:

<body class="itmtk">

the real problem is cross-site scripting limitations . you cannot execute anything from different host.

i made a quick experiment and copied the page to different host and that didnt work.

our java applications are on different server and some solution is needed.

any ideas?

and no iframes thanks :slight_smile:

Could your web-server proxy those ajax-requests to your java-servers?

Instead of a proxy, you can configure your web-service to return JSON, if possible. Then you can use the dynamic-script-tag -method for XSS.

The current IT Mill Toolkit 4.0 returns all UIDL in XML format, so you need to parse that manually when you receive responses as JSON instead (with XMLHTTPRequest this is done automatically). When we ship Tookit 5.0, it uses JSON for UIDL-transport natively, which makes this kind of XSS more efficient.

You can read more about the dynamic script tag method and see examples here: