Tuesday, April 28, 2009

window.name hack taken a step further: full XHR proxying

My current GWT project requires a secure cross-site rpc solution so I started digging:

I liked the window.name hack the most and started implementing it in GWT. And while doing so I asked myself a question - why is it only limited to form submission? Well, it's not! You can use window.name for communication like in the #hash communication and do full XHR proxying. Look at this new (at least I didn't see it anywhere else) cross-site communication scheme:
  • Create an iframe
  • Encode XHR params and a dummy localUrl in the iframe's window.name
  • Change the iframe's location to the server's proxy script (i.e. if you want to send a request to example.org, example.org needs to provide a proxy script at e.g. example.org/cross_site_proxy.html)
  • The proxy script reads params from window.name and creates the real XHR
  • Fire the XHR and encode the response (all of it) in window.name
  • Change the location back to localUrl
  • Read the response from the iframe's window.name

It is important to set proper caching headers for both localUrl and server's proxy script so that they will be loaded from browser's cache w/o any additional requests.

  • As secure as Fragment Identifiers XHR proxying and the original window.name hack
  • Full XHR proxying like in the Fragment Identifiers XHR proxying
  • No server changes needed other than providing the proxy script

I am currently finishing my proof of concept implementation in GWT and I will do a follow-up on it shortly. In the meantime it can probably be easily implemented in js libraries like dojo as they have most of the required bits already done.

What do you think?