Skip to main content
Skip Navigation LinksHome  Extending the Spotfire Platform  Architecture  Web Architecture  Mashup Development with Multiple Servers

©Spotfire 2011

Mashup Development with Multiple Servers

JavaScript in mashup calls from the same server as the Web Player does not compromise domain security. If the mashup and the Web Player reside on different servers, attention to domain attributes is essential.


This tutorial is applicable if the mashup is deployed to a server other than the Web Player server. When a mashup makes JavaScript calls to a Web Player application located in another frame on a web page, browsers prohibit the interaction unless the JavaScript comes from the same server. Browsers today prohibit cross-site scripting (XSS).

One solution to this cross-site scripting problem can be implemented directly in the pages or scripts. Set the domain attribute of the two DOM documents to the same domain name. This solution comes with one restriction: a page can only change its domain attribute to a parent domain of itself.

  • A script from defaults it's domain attribute to The script can set its domain attribute to or
  • A script from cannot change the domain value to or, not even

If the domain attribute of the Web Player/mashup application is changed, all users of that server must use fully qualified domain name when browsing the mashup, like Fully qualified domain names must also be used by all users of the Web Player application, in this case something like The bottom line is that the domain path of the server must end with the chosen domain attribute path:

For more information about the cross site scripting refer to Cross-Site Scripting in Wikipedia, About Cross-Frame Scripting and Security in MSDN, and Ajax and Mashup Security at OpenAjax alliance.

Server Configuration Example

Suppose the simple SpotfireDeveloper.WebAutomationExample\Demo2.htm mashup in the SDK is deployed to the server Then consider the distributed client/server, Web Player/mashup scenario:

Server configuration scenario

This example indicates the changes required to

  1. Open the Web.config file on the Web Player server.
    It is usually located in C:\Program Files\TIBCO\Spotfire Web Player\2.1\webroot.
  2. Locate the setup section, add the <javaScriptApi...> line setting the domain attribute to the domain of the servers, and save:
    <!-- ******************** WEB PLAYER SETTINGS ...***** -->
    <!-- ****************** Web Player settings for non visible items -->
      <javaScriptApi enabled="true" domain="" />
      <!-- The mailto link on the error ... 
      You can also set the maximum length of the email -->
      <errorReporting emailAddress="" />
  3. Open the Demo2.htm mashup example file on the mashup server,
    locate the <script> section,
    change the web player server paths to,
    and change the domain attribute to
    <script type="text/javascript" 
            src=""> <!-- CHANGE --> 
    <script type="text/javascript" src="Scripts/util.js"></script>
    <script type="text/javascript">
        // If you run the this file on another web server than the Web..., 
        // you need to change this property. See Web Player JavaScript ...
        document.domain = "";                                        // CHANGE
        // Constants
        var c_serverUrl = "";       // CHANGE
        var c_analysisPath = "TIBCO Spotfire Example Files/MedicalPerfo...";
        var c_majorRegions = ["(All)", "MW", "NE", "SE", "WE", "(None)"];

If the demo file is not part of web application, create the web application/virtual directory on the MashupSrv:

  • Users access the mashup URL[web application]/Demo2.htm
  • Users browse the Web Player server using the URL
    If you make these changes to an existing Web Player site, remember to inform users about the new URL, unless they already the access it by the fully qualified URLs.


To develop mashups without installing the Web Player on the development machine, perform the changes above, replacing the name of the mashup server with the one of the development machine.

  • Always use qualified domain names when debugging or testing, like /SpotfireWebSdkExamples/.
  • Do NOT use URLs like /... or http://developmentmachine/...

Other Mashup Sources

If the mashup interacts with JavaScript from another server located in its own IFRAME tag, that server must set the same common domain name.

This does not apply to applications like Microsoft® Virtual Earth, Google Maps or Yahoo!® Maps, since they add content to <div> tags rather than IFRAME tags.