23 May 2009

Cross-domain data retrieval in client-side mashups

Browsers do not allow dynamic cross-domain data retrieval to prevent cross-site scripting attacks. However, client-based mashups need to access data sources that reside on different servers. There are several solutions to this problem:

  • Proxies: requires running proxy on intermediate server, leads to slower responses and additional traffic

  • Window.name transport: requires support by the accessed services, because window.name property has to be set

  • JSON and dynamic <script> tags: requires that the accessed services expose JSON, which is e.g. not the case for RSS feeds (which use XML)

  • Signed JavaScript: only available for Firefox

  • W3C Cross-Origin Resource Sharing: needs support on client and accessed service side, only available for
    Firefox 3.5 and Internet Explorer 8

  • Flash drop-in: requires Flash on the client and a crossdomain.xml file on the server with the accessed service that support the crossdomain access.

Because all the solutions except the proxy restrict either the browsers or the web services that can be used, I decided to go with the proxy solution. I downloaded the PHP proxy script from Abdul Qabiz Blog and modified it as suggested by the comments on his blog post. I also added a small section to make sure the default content type is XML:

if ($mimeType != "") {
// set header from mime type
header("Content-Type: ".$mimeType);
} else {
// assume web service returns xml
header("Content-Type: text/xml");
The proxy script works for me in a development environment now, but I do not recommend using it in a production environment, because important features such as restrictions of the client domain and forwarding the headers from the original service response are missing.

No comments: