Thursday, November 10, 2005

 

Is Ajax making XMLHttpRequests to Non-originating servers !!!

        
Jason Levitt on xml.com have published an intresting article with title "Fixing AJAX: XMLHttpRequest Considered Harmful" This article explains few ways to get around the possible security constraints that we can face with in the browsers.

He writes in his article ....

"...the kind of AJAX examples that you don't see very often (are there any?) are ones that access third-party web services, such as those from Amazon, Yahoo, Google, and eBay. That's because all the newest web browsers impose a significant security restriction on the use of XMLHttpRequest. That restriction is that you aren't allowed to make XMLHttpRequests to any server except the server where your web page came from. So, if your AJAX application is in the page http://www.yourserver.com/junk.html, then any XMLHttpRequest that comes from that page can only make a request to a web service using the domain www.yourserver.com. Too bad -- your application is on www.yourserver.com, but their web service is on webservices.amazon.com (for Amazon). The XMLHttpRequest will either fail or pop up warnings, depending on the browser you're using"


He suggested three workarounds to get rid from this and they are :

i) Application Proxy: The server app on the originating server makes the call to the other server. Write an application in your favorite programming language that sits on your server, responds to XMLHttpRequests from users, makes the web service call, and sends the data back to users

ii) Apache Proxy: The Apache server config is needs to be modified so that requests are re-routed from the originating server to the other server, with your XMLHttpRequest object being none the wiser. You probably won't be able to do this if your application was hosted on a shared hosting service.

iii) Script Tag Hack with Application Proxy: Dynamically generate a HTML script tag and set the src attribute to make the request. No XMLHttpRequest is made, and the result is JavaScript, not XML. This approach is also known as On-Demand JavaScript.

Read the complete article here.


This page is powered by Blogger. Isn't yours?