Tuesday, April 28, 2009

window.name hack taken a step further: full XHR proxying

My current GWT project requires a secure cross-site rpc solution so I started digging:

I liked the window.name hack the most and started implementing it in GWT. And while doing so I asked myself a question - why is it only limited to form submission? Well, it's not! You can use window.name for communication like in the #hash communication and do full XHR proxying. Look at this new (at least I didn't see it anywhere else) cross-site communication scheme:
  • Create an iframe
  • Encode XHR params and a dummy localUrl in the iframe's window.name
  • Change the iframe's location to the server's proxy script (i.e. if you want to send a request to example.org, example.org needs to provide a proxy script at e.g. example.org/cross_site_proxy.html)
  • The proxy script reads params from window.name and creates the real XHR
  • Fire the XHR and encode the response (all of it) in window.name
  • Change the location back to localUrl
  • Read the response from the iframe's window.name

It is important to set proper caching headers for both localUrl and server's proxy script so that they will be loaded from browser's cache w/o any additional requests.

Pros:
  • As secure as Fragment Identifiers XHR proxying and the original window.name hack
  • Full XHR proxying like in the Fragment Identifiers XHR proxying
  • No server changes needed other than providing the proxy script

I am currently finishing my proof of concept implementation in GWT and I will do a follow-up on it shortly. In the meantime it can probably be easily implemented in js libraries like dojo as they have most of the required bits already done.

What do you think?

1 comment:

  1. How about doing the XHR window.name hack using google appengine? You could use a servlet to receive the request, pull the data from the datastore, encode it with jsp / outputStream, and effectively wrap an appsopt domain with your own... Not to mention that your gwt classes would be directly accessible to appengine, and with enough Generator hackery, it could even be an automatable process. Mind you, I'm just regurgitating ideas I've skimmed of reading Ray's posts, so maybe check up on him for his latest and greatest, http://timepedia.blogspot.com/2009/04/gwt-rpc-over-arbitrary-transports-uber.html ...wow...

    ReplyDelete