Flash to the Rescue
It's still no fun to work around the cross-domain security restriction that web browsers impose on the
XMLHttpRequest object (and IE's
XMLHTTP ActiveX object), but with the advent of more interesting REST web services, Ajax developers are looking for ways to make web services requests directly from client web browsers, rather than loading down their servers.
The cross-domain request restrictions guideline, or Same Origin Policy, which has governed browser security since almost the beginning of recorded browser history (Netscape Navigator 2.0), has spawned a number of clumsy workarounds--many of which have probably been used by folks interested in simplifying their Ajax mashups and applications.
The usual workaround is to use server-based proxies, which I discuss here. For the more daring, there's the limited yet powerful Dynamic Script Tag approach. However, the latest entry in the field of hacks and workarounds has some potential advantages over all of these (See Table 1). Based on Adobe (nee Macromedia) Flash technology and written by Julien Couvreur, the
FlashXMLHttpRequest proxy, currently in stable beta, is a small (less than 5K) Flash SWF file that can make HTTP
POSTs on your Ajax application's behalf.
FlashXMLHttpRequest has two primary advantages over other approaches. First, it's truly cross-platform since it works the same in any web browser with Flash versions 6, 7, or 8 installed (close to 95% of modern desktop web browsers). Second, it has a simple security model to allow cross-domain requests, which is already in use by many sites that offer web services, such as Yahoo and Amazon. The security is implemented on the server side by placing a single text file, named crossdomain.xml, in the root directory of the domain that hosts the web services. Rules in the file specify which domains or IP addresses are allowed to make web services requests. On the client side, cross-domain access is denied by default, but if the client finds a crossdomain.xml file on the server and the rules allow it to connect, a request can proceed. You can view examples of crossdomain.xml files for Amazon and Yahoo here and here, respectively.
XMLHttpRequest object. Figure 1 shows a simple example that executes an HTTP
GET request of a Yahoo web service. (It searches for podcasts that have the word "fun" in the title or description and returns only the first result found.) The file FlashXMLHttpRequest.js, referenced at the top of the example, detects the version of Flash in the client browser and loads the appropriate SWF file.
Code example: An HTTP GET using FlashXMLHttpRequest
FlashXMLHttpRequest suffers from a few limitations, some more annoying than others. It cannot receive HTTP status codes or send/receive HTTP headers, nor can it do HTTP
DELETE, which limits its use by more sophisticated REST web services implementations. To be fair, these limitations are imposed by Flash 6 and 7; Flash 8.0 can receive HTTP status codes and send/receive HTTP headers, and Flash 8.5 will be able to handle HTTP
Note that although the developer cannot explicitly send and receive HTTP headers, the HTTP Content-Type header can be set, which turns out to be quite useful if a type of data other than XML is requested, e.g., JSON or Serialized PHP. The request result is returned as a plain-text string, responseText. It is up to the developer to parse it into an object. The ability to send arbitrary HTTP headers will likely be a future enhancement to
There are good security reasons why
JSONRequest and Chris Holland's
ContextAgnosticXMLHttpRequest are both proposals that allow HTTP requests from one domain to another while carefully considering the security ramifications.
- 24 HOur Locksmith Lockout Service Assistance Los Angeles 1-323-678-2704
2009-07-02 15:01:17 carpetcare
- Example Error
2007-01-11 13:46:29 ameikle