Thursday, November 10th, 2005p>Over on XML.com they published Fixing AJAX: XmlHttpRequest Considered Harmful.
This article discusses a few ways to get around the security constraints that we have to live with in the browsers theses days, in particular, only being able to talk to your domain via XHR.
The article walks you through three potential solutions:
- Application proxies. Write an application in your favorite programming language that sits on your server, responds to
XMLHttpRequests from users, makes the web service call, and sends the data back to users.
- Apache proxy. Adjust your Apache web server configuration so that
XMLHttpRequests can be invisibly re-routed from your server to the target web service domain.
- Script tag hack with application proxy (doesn’t use
XMLHttpRequestat all). Use the HTML
I can’t wait for Trusted Relationships within the browser – server infrastructure.
With respect to Apache proxies, these things are priceless. I recently talked about them in relation to Migrating data centers with zero downtime.
What do you guys think about this general issue? Have you come up with any interesting solutions? Any ideas on how we can keep security, yet give us the freedom that we want?
It is interesting that Zimbra takes the “install a local proxy” approach.