Critical privacy/data integrity fix: Move cross-domain capable message listener into own extension (ext-xdomain-messaging.js) and do not include by default (the extension now won't work anyways without an allowedOrigins config first being set (in config.js) for security reasons (and not via URL)); add allowedOrigins config and demo use in config-sample.js; JSLint; update embedapi.html to supply the xdomain extension in case running xdomain (again, allowedOrigins must be supplied in the local copy of config.js for this to work); modify embedapi.js to allow reuse of cross-domain API with same-domain usage, but without the intermediate JSON parsing which could lose some non-JSONable arguments or response.

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2714 eee81c28-f429-11dd-99c0-75d572ba1ddd

editor/config-sample.js

@@ -79,6 +79,13 @@ svgEditor.setConfig({
 	// langPath: 'locale/',
 	// extPath: 'extensions/',
 	// jGraduatePath: 'jgraduate/images/',
+	/*
+	Uncomment the following to allow at least same domain (embedded) access,
+	including file:// access.
+	Setting as `['*']` would allow any domain to access but would be unsafe to
+	data privacy and integrity.
+	*/
+	// allowedOrigins: [window.location.origin || 'null'], // May be 'null' (as a string) when used as a file:// URL
 	// DOCUMENT PROPERTIES
 	// dimensions: [640, 480],
 	// EDITOR OPTIONS