- JSONP aka script tag inclusion - someone even implemented it in GWT, but it's insecure and limited by the url lenght size limit.
- IFrames, Fragment Identifiers and XHR Proxying - secure but the communication via #hash is far from perfect.
- window.name hack with from submission - that's really nice, but limited to form submission and requires server-side changes (special response format)
I liked the window.name hack the most and started implementing it in GWT. And while doing so I asked myself a question - why is it only limited to form submission? Well, it's not! You can use window.name for communication like in the #hash communication and do full XHR proxying. Look at this new (at least I didn't see it anywhere else) cross-site communication scheme:
- Create an iframe
- Encode XHR params and a dummy
localUrlin the iframe'swindow.name - Change the iframe's location to the server's proxy script (i.e. if you want to send a request to example.org, example.org needs to provide a proxy script at e.g. example.org/cross_site_proxy.html)
- The proxy script reads params from
window.nameand creates the real XHR - Fire the XHR and encode the response (all of it) in
window.name - Change the location back to
localUrl - Read the response from the iframe's
window.name
It is important to set proper caching headers for both localUrl and server's proxy script so that they will be loaded from browser's cache w/o any additional requests.
Pros:
- As secure as Fragment Identifiers XHR proxying and the original window.name hack
- Full XHR proxying like in the Fragment Identifiers XHR proxying
- No server changes needed other than providing the proxy script
I am currently finishing my proof of concept implementation in GWT and I will do a follow-up on it shortly. In the meantime it can probably be easily implemented in js libraries like dojo as they have most of the required bits already done.
What do you think?
How about doing the XHR window.name hack using google appengine? You could use a servlet to receive the request, pull the data from the datastore, encode it with jsp / outputStream, and effectively wrap an appsopt domain with your own... Not to mention that your gwt classes would be directly accessible to appengine, and with enough Generator hackery, it could even be an automatable process. Mind you, I'm just regurgitating ideas I've skimmed of reading Ray's posts, so maybe check up on him for his latest and greatest, http://timepedia.blogspot.com/2009/04/gwt-rpc-over-arbitrary-transports-uber.html ...wow...
ReplyDelete