The Industry

Making tinyMCE work with custom domains

Our application uses custom domains. We let users point their own domains, say purplecow.com, to our magazines.me website and to all intents and purposes it looks like their domain.

TinyMCE 3.2.0.2 does not work with custom domains - when to goes to try and download additional sections of its own code during initialization (creation). It thinks we are trying to do cross-domain scripting because our server is not residing at purplecow.com, it is instead still at magazines.me. It then gets the infamous and somewhat infuriatingly nonsensical [because the exception is indeed caught. Hello?] error:

Error: uncaught exception: Permission denied to call method XMLHttpRequest.open

TinyMCE trys to use its own code to drive XMLHttpRequest to download its own files from the server. Our solution, since we are using prototype anyway, was to replace the tinyMCE code with code that uses prototype instead. Presumably one could to this with JQuery as well. Don’t know.

Code follows. Replace the XHR send function, at or around line 854 in tiny_mce_src.js with

	send : function(o) {
		var x, t, w = window, c = 0;

		// Default settings
		o.scope = o.scope || this;
		o.success_scope = o.success_scope || o.scope;
		o.error_scope = o.error_scope || o.scope;
		o.async = o.async === false ? false : true;
		o.data = o.data || '';

		var options = { method : o.type || (o.data ? 'POST' : 'GET'), onComplete: function(x) { o.success.call(o.success_scope, '' + x.responseText, x, o) }, asynchronous: o.async === false ? false : true, contentType: o.content_type }
		var req = new Ajax.Request(o.url, options); }

Compressing this into tiny_mce.js is left for another day.

P.S. —————————–

We switched back.

We now have our users do their editing on a page with a url on the home domain, not the user’s subdomain. Not as clean looking, but FireFox does not allow javascript access to stylesheets from subdomains.

We then restored the above code to its original state. It still did not work to download tiny_mce from Amazon S3, yet another security breach, so it is now downloaded from our server instead. [We have switch back and manually download everything ourselves, and not let tinyMCE load its own code - which is the default.]

If there is a theme here, it is that the security in these browsers is haphazard, often unfathomable, and a pain in the butt [and on that subject, if we weren’t prohibited from reading the frame buffer, Javascript could compete directly with Flash, only better. Or the ability to determine what text the user has selected on the page, even when the text is not in a TextArea - so we could have real word processors right in the browser.].