[dojo-contributors] Cross-domain XHR using an iframe proxy
James Burke
jburke at dojotoolkit.org
Sun Jul 30 23:10:04 MDT 2006
The mechanism should support large requests/responses. The purpose of
the proxy is to allow using a service that was exposed for XHR use,
but on a different domain than the service (this is normally not
allowed by the browser security model).
Whatever the normal XHR response is, the iframe proxy grabs the
xhr.responseText, URL-encodes with encodeURIComponent, then breaks it
into a series of fragment identifiers and sends them to the other
frame. The other frame re-assembles the fragments and configures a
facade object on the client that looks like an XHR object so that the
normal methods that Dojo uses on XHR work transparently with the
facade.
The same sort of thing happens with the request: relevant info that
was set on the XHR facade is transformed into a encodeURIComponent
string, broken into chunks and sent to the server iframe. The server
iframe reassembles, then calls dojo.io.bind() from the server domain.
All that said, I haven't done testing on large requests/responses yet,
but the code is in there.
Did I answser the question? I may have misunderstood it.
James
On 7/30/06, Gavin Doughtie <gavin at dfmm.org> wrote:
> So, for larger hunks of data (or the real JSON object) you could encode
> a URL in the fragment and the receiving frame could go snatch that with
> a "normal" XHR -- or did you do that already?
>
> James Burke wrote:
> > I just committed changes to support doing cross domain XMLHttpRequests
> > (XHR) using an iframe proxy. Note that this is *not* using a server
> > side proxy -- it just uses plain old JavaScript and HTML. A set of
> > iframes (one local, one cross-domain) are used to serialize the XHR
> > request and response using URL fragment identifiers. The basic
> > fragment identifier mechanism is illustrated here:
> > http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html
> >
> >
> > There are test pages in the following directory that illustrate true
> > cross-domain requests:
> > http://dojotoolkit.org/~jburke/xip/tests/io/iframeproxy
> >
> > Works in FF 1.5, MSIE 6.0, Safari 2.0.3, and Opera 9. I still have
> > some more to do, in particular, sending back dojo.io.bind() error
> > callbacks that happen on the remote side. But it looks like it works.
> > Initial test with dojo.undo.browser seemed to indicate that back
> > button detection still works
> > with this code (for the browsers that dojo.undo.browser supports).
> >
> > The files:
> > - iframe_xip_client.html: The "client" side of the iframe proxy.
> > - iframe_xip_server.html: The "server" side of the iframe proxy. Uses
> > the isAllowedRequest() method to determine if a cross-domain request
> > is OK.
> > - src/io/XhrIframeProxy.js: Creates the proxy for dojo.io.bind()
> > requests.
> >
> > SECURITY NOTE:
> > Do not enable iframe_xip_server.html on your own server unless you are
> > SURE all your XHR-exposed services on your server are safe to be
> > called by anyone in the world.
> >
> > To enable the feature (and to restrict what type of requests are
> > allowed), a function called isAllowedRequest() must be defined for
> > iframe_xip_server.html. Be default, the function does not exist, to
> > avoid accidentally enabling the cross-domain access.
> >
> > For a developer that wants to trigger a iframe-proxied XHR, do the
> > following:
> > - dojo.require("dojo.io.XhrIframeProxy");
> > - Define a iframeProxyUrl parameter to dojo.io.bind(). This will be an
> > URL to the iframe_xip_server.html file on the remote server.
> > - Make sure the URL parameter to dojo.io.bind() makes sense from the
> > iframeProxyUrl path, since it will be evaluated relative to that path,
> > not to the path of the page that initiates the bind.
> >
> > See the source for the tests mentioned above for examples.
> >
> > Any feedback is appreciated, particularly if this is considered too
> > volatile to be in the repository at this time. If this code shakes out
> > OK (and after fixing the TODOs in dojo.io.XhrIframeProxy), then it
> > would be neat to use this technique for comet communication. Right
> > now, this only works for XHR-type dojo.io.bind() requests.
> >
> > James
> > _______________________________________________
> > dojo-contributors mailing list
> > dojo-contributors at dojotoolkit.org
> > http://dojotoolkit.org/mailman/listinfo/dojo-contributors
> _______________________________________________
> dojo-contributors mailing list
> dojo-contributors at dojotoolkit.org
> http://dojotoolkit.org/mailman/listinfo/dojo-contributors
>
More information about the dojo-contributors
mailing list