Flash to the Rescue
June 28, 2006
It's still no fun to work around the cross-domain security restriction that web browsers
impose on the
XMLHttpRequest object (and IE's
object), but with the advent of more interesting REST web services, Ajax developers are looking for ways to make web services requests
directly from client web browsers, rather than loading down their servers.
The cross-domain request restrictions guideline, or Same Origin Policy, which has governed browser security since almost the beginning of recorded browser history (Netscape Navigator 2.0), has spawned a number of clumsy workarounds--many of which have probably been used by folks interested in simplifying their Ajax mashups and applications.
The usual workaround is to use server-based proxies, which I discuss here. For the
more daring, there's the limited yet powerful Dynamic Script Tag approach. However, the latest
entry in the field of hacks and workarounds has some potential advantages over all
(See Table 1). Based on Adobe (nee Macromedia) Flash technology and written by Julien
FlashXMLHttpRequest proxy, currently in stable beta, is a small (less
than 5K) Flash SWF file that can make HTTP
POSTs on your Ajax application's behalf.
FlashXMLHttpRequest has two primary advantages over other approaches. First,
it's truly cross-platform since it works the same in any web browser with Flash versions
7, or 8 installed (close to 95% of modern desktop web browsers). Second, it has a simple security model
to allow cross-domain requests, which is already in use by many sites that offer web
services, such as Yahoo and Amazon. The security is implemented on the
server side by placing a single text file, named crossdomain.xml, in the root
directory of the domain that hosts the web services. Rules in the file specify which
or IP addresses are allowed to make web services requests. On the client side, cross-domain
access is denied by default, but if the client finds a crossdomain.xml file on the
server and the rules allow it to connect, a request can proceed. You can view examples
crossdomain.xml files for Amazon and Yahoo here and here, respectively.
FlashXMLHttpRequest consists of several SWF files, one for Flash 8 and two
browser and the appropriate SWF file is loaded. The Dojo
interface in Flash 8 (called ExternalInterface).
wrapper that makes it work superficially like the
XMLHttpRequest object. Figure
1 shows a simple example that executes an HTTP
GET request of a Yahoo web
service. (It searches for podcasts that have the word "fun" in the title or description
returns only the first result found.) The file FlashXMLHttpRequest.js, referenced
at the top of the example, detects the version of Flash in the client browser and
appropriate SWF file.
Code example: An HTTP GET using FlashXMLHttpRequest
FlashXMLHttpRequest suffers from a few limitations, some more annoying than
others. It cannot receive HTTP status codes or send/receive HTTP headers, nor can
it do HTTP
DELETE, which limits its use by more sophisticated REST
web services implementations. To be fair, these limitations are imposed by Flash 6
Flash 8.0 can receive HTTP status codes and send/receive HTTP headers, and Flash 8.5
able to handle HTTP
Note that although the developer cannot explicitly send and receive HTTP headers,
Content-Type header can be set, which turns out to be quite useful if a type of data
than XML is requested, e.g., JSON or Serialized PHP. The request result is returned
plain-text string, responseText. It is up to the developer to parse it into an object.
ability to send arbitrary HTTP headers will likely be a future enhancement to
There are good security reasons why
XMLHttpRequest is constrained by the Same
request solution that will allow requests without compromising user security, and
two proposals are on the table to add an additional function to future browsers that
allow cross-domain requests. Douglas Crockford's
JSONRequest and Chris Holland's
ContextAgnosticXMLHttpRequest are both proposals that allow HTTP
requests from one domain to another while carefully considering the security