tag:blogger.com,1999:blog-178964432011-12-13T19:57:32.358-08:00NKnoreply@blogger.comBlogger11100tag:blogger.com,1999:blog-17896443.post-1131666585198474422005-11-10T15:43:00.000-08:002005-11-10T15:51:23.556-08:00<span style="font-family:arial;"><strong>J</strong>ason Levitt on </span><a href="http://www.xml.com"><span style="font-family:arial;">xml.com</span></a><span style="font-family:arial;"> have published an intresting article with title "<em>Fixing AJAX: XMLHttpRequest Considered Harmful</em>" This article explains few ways to get around the possible security constraints that we can face with in the browsers.</span><br /><br /><span style="font-family:arial;">He writes in his article ....</span><br /><br /><blockquote><p align="justify"><span style="font-family:arial;">"...the kind of AJAX examples that you don't see very often (are there any?) are ones that access third-party web services, such as those from Amazon, Yahoo, Google, and eBay. That's because all the newest web browsers impose a significant security restriction on the use of XMLHttpRequest. That restriction is that you aren't allowed to make XMLHttpRequests to any server except the server where your web page came from. So, if your AJAX application is in the page </span><a href="http://www.yourserver.com/junk.html"><span style="font-family:arial;">http://www.yourserver.com/junk.html</span></a><span style="font-family:arial;">, then any XMLHttpRequest that comes from that page can only make a request to a web service using the domain </span><a href="http://www.yourserver.com/"><span style="font-family:arial;">www.yourserver.com</span></a><span style="font-family:arial;">. Too bad -- your application is on </span><a href="http://www.yourserver.com/"><span style="font-family:arial;">www.yourserver.com</span></a><span style="font-family:arial;">, but their web service is on webservices.amazon.com (for Amazon). The XMLHttpRequest will either fail or pop up warnings, depending on the browser you're using"</span></p></blockquote><br /><span style="font-family:arial;">He suggested three workarounds to get rid from this and they are :</span><br /><br /><strong>i) Application Proxy:</strong> <span style="font-family:arial;">The server app on the originating server makes the call to the other server. Write an application in your favorite programming language that sits on your server, responds to XMLHttpRequests from users, makes the web service call, and sends the data back to users</span><br /><br /><strong>ii) Apache Proxy:</strong> <span style="font-family:arial;">The Apache server config is needs to be modified so that requests are re-routed from the originating server to the other server, with your XMLHttpRequest object being none the wiser. You probably won't be able to do this if your application was hosted on a shared hosting service.</span><br /><br /><strong>iii) Script Tag Hack with Application Proxy:</strong> <span style="font-family:arial;">Dynamically generate a HTML script tag and set the src attribute to make the request. No XMLHttpRequest is made, and the result is JavaScript, not XML. This approach is also known as <a href="http://ajaxpatterns.org/On-Demand_Javascript">On-Demand JavaScript</a>.</span><br /><span style="font-family:arial;"><br />Read the complete article <a href="http://www.xml.com/pub/a/2005/11/09/fixing-ajax-xmlhttprequest-considered-harmful.html">here.</a></span><br /><span style="font-family:Arial;"></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/17896443-113166658519847442?l=ajaxgoals.blogspot.com' alt='' /></div>NKnoreply@blogger.com1