you can't use CORS because the server at http://02873eb16af5eb15ff11-40b15116...s?v=1354302269
is not emitting an Access-Control-Allow-Origin header:
Date:Fri, 30 Nov 2012 19:12:17 GMT
Expires:Mon, 03 Dec 2012 19:11:34 GMT
Last-Modified:Fri, 30 Nov 2012 01:45:21 GMT
if it did emit that header, a plain old ajax command would work as though the request was made to your site.
while the cssText property is blacklisted by the SOP, you CAN sniff out external styles from off-domain sources.
in your example at http://page-test.co.uk/js.php
, run this in firebug/devtools:
document.body.className="style3"; //text turns green
getComputedStyle(document.body).color; //shows "rgb(0, 128, 0)", which is "green"
so, one-at-a-time, you can sniff style properties. Note that you cannot hit pseudo-elements (:before/:after), and content: hello world;
won't work either, so don't bother with that.
you can also send arbitrary text as the #hash of a background-image URL, or if you have clean CSV data, a font-family stack. you can "rip" both of those using getComputedStyle
(). i've actually used to deliver tweets to an HTTPS client from HTTP without the dreaded popups about mixed zones, since the browser doesn't worry about css safety. a little janky, but it works.