The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Tuesday, July 1, 2008

XMLHttpRequest and security restrictions

XMLHttpRequest object the heart of AJAX programming is having security implications due to its power to run code remotely using javascript.
To keep the things secure you cannot use a URL in the XMLHttpRequest which is not from the domain where the javascript is executed. For example if there is a xml file news.xml at http://mydomain.com/news.xml you cannot read this xml using a javascript on a web page which is not deployed in the http://mydomain.com domain.

So, same stuff holds true for the webservices which are deployed in other domains. You cannot invoke them from your domain by just using XMLHtppRequest. there are two solutions to this.
1. Digital signing: You can sign your javascript and it will inform the webservice host that it guarantees not to be malicious. But that is a bit difficult to do.
2. Second approach is using proxy . You can send your request through a proxy resource located in the same domain where the web service is deployed. this proxy forwards the request to the webservice and returns the result to the browser.

No comments: