Author: Ben Vinegar & Anton Kovalyov
Publisher: Manning
Pages: 256
ISBN: 978-1617290541
Audience: Experienced JavaScript devs wanting to write embeddable scripts
Rating: 4.5
Reviewer: Ian Elliot

The real question is what exactly is third-party JavaScript? The interesting answer is that it's almost certainly not what you think!

I have to admit that I'd not encountered the term "third-party JavaScript" before I read this book - but I had certainly used it and even created it.

No, it doesn't mean just using a JavaScript library, which is the most obvious interpretation of the term. What it means is creating JavaScript widgets that can be inserted into other websites. Used in this sense, third-party JavaScript is everywhere from advertising scripts to voting buttons. This book attempts to formalize this otherwise ad-hoc approach to delivering services to websites and it is a very interesting read.

Many of the topics it deals with are of wider interest to more than just the JavaScript widget maker because they are about getting JavaScript to run on any website and embedded in any page without causing conflicts. If all our JavaScript worked like this, the web would be a better place.

The first chapter explains the ideas and problems of building JavaScript for a third-party to run. Chapter 2 deals with the problems of building and testing JavaScript widgets. This is a topic that is usually left to you imagination, but in this case the way you can make use of Apache to simulate a number of different external domains is described in detail. It also tackles the difficult problems of cross-domain scripting and not slowing the site down.

Chapter 3 moves on to consider the problem of generating HTML and CSS from JavaScript and how to give it a better chance of not interacting badly with the existing HTML/CSS in the page. The next chapter looks at Ajax as a tool for getting data from your server. Of course the big problem here is cross-domain downloads and the big solution is JSONP. It also covers subdomain proxies and CORS. 

Chapter 5 explains the mysterious topic of cross-domain iframe messaging i.e using the postMessag API. The big problem here is browser support and so a lot of the chapter is devoted to fall back techniques all of which are complciated and messy. The solution is to use a library such as easyXDM. 

From here we move on to consider authentication and sessions as implemented by third party cookies - those most hated of all cookies. Again a large part of the chapter is devoted to workarounds to overcome the problem of users turning off third-party cookies.

Chapter 7 gets to grips even more with security issues. - cross-site scripting, cross-site request forgery and publisher impersonation. Vinegar and Kovalyov don't offer any universal solutions, they simply tries to make you aware of the possibilities. In most cases you need to sanitize all user input or just don't allow user input! 

Chapter 8 marks the point where the book starts to diversify into broader issues than just creating JavaScript widgets that work. The topic of this chapter is creating complete JavaScript SDKs that clients can use. Chapter 9 is about performance tuning and the final chapter is about debugging - with fairly standard treatments of fairly standard problems. 

Overall the discussions are good with a slight hint of humour. The examples are short and to the point. The serverside examples are in Python, but easy enough to understand.

Don't bother even picking this book up unless you are fully acquainted with JavaScript and enough HTML/CSS to know how they work together - this is not a beginner's book. However, it isn't an expert's book either and if you are thinking of creating a JavaScript widget for your site this should help you see your way through the problems.

It is worth noting that most of the problems are artificially created by either poorly thought out security measures or scare stories that make users lock down their systems by removing useful facilities. Good security shouldn't stop you doing what you want to do. 

There are also lots of senarios that the book doesn't even consider - but then neither does anyone else. For example, how do you arrange that your API is only accessible by a script you have authorized? You can't use a password or private token on the clientside because on the clientside there is no "private".

Many of the topics covered are relevant to the creation of web apps and general JavaScript based pages, so you might well get somthing out of it even if your main concerns turn out to be something other than third-party JavaScript.

A good book - go and read it.