you can't use CORS because the server at
http://02873eb16af5eb15ff11-40b15116...s?v=1354302269 is not emitting an Access-Control-Allow-Origin header:
Code:
Cache-Control:public, max-age=259167
Connection:keep-alive
Content-Type:text/css
Date:Fri, 30 Nov 2012 19:12:17 GMT
ETag:b0263a895d13a9e5de138ef2716478f3
Expires:Mon, 03 Dec 2012 19:11:34 GMT
Last-Modified:Fri, 30 Nov 2012 01:45:21 GMT
Vary:Accept-Encoding
if it did emit that header, a plain old ajax command would work as though the request was made to your site.
while the cssText property is blacklisted by the SOP, you CAN sniff out external styles from off-domain sources.
in your example at
http://page-test.co.uk/js.php, run this in firebug/devtools:
Code:
document.body.className="style3"; //text turns green
getComputedStyle(document.body).color; //shows "rgb(0, 128, 0)", which is "green"
so, one-at-a-time, you can sniff style properties. Note that you cannot hit pseudo-elements (:before/:after), and
content: hello world; won't work either, so don't bother with that.
you can also send arbitrary text as the #hash of a background-image URL, or if you have clean CSV data, a font-family stack. you can "rip" both of those using
getComputedStyle(). i've actually used to deliver tweets to an HTTPS client from HTTP without the dreaded popups about mixed zones, since the browser doesn't worry about css safety. a little janky, but it works.