The Server-Side Proxy
Image via Wikipedia
The Server Side Proxy… oh how I despise thee.
It’s a technique which we wouldn’t have to utilize at all, were it not for Browser security restrictions (which are admittedly in place for a good reason, to save us from ourselves).
Problem
The Same-origin policy, also known as same-domain limitation.
Reaction
After IE4 and a number of other browsers had vulnerabilities revealed where Cross-Site Scripting (XSS) attacks were exploited to gain access to user data, jeopardize accessibility of, or otherwise vandalize popular Web Services and Web Applications, the Browser vendors got together and decided to lock down their browsers into a “sandbox”.
What is a sandbox you ask? In non-developer speak its just like you can find in public parks, a set of boundaries around a soft and malleable plot of land where you can play safely and fall down as much as you want without hurting yourself (or others). Even if you did decide to go on an all-out rampage, you could only at most hurt other people inside the sandbox. In geek speak, its a security mechanism for separating running programs whereby code is isolated to its own space in memory and/or its own path on the network. This effectively means your client-side code can’t make a request to any URL above its own path, let alone to an external Web Service or application.
Solution
Create a server-side proxy to by-pass the Browser security restrictions! Well, this is one approach at least. Others include web server hacks, a Flash object with Cross-Domain policy and use of JSONp, but each of those may severely limit what types of data and services you can work with.
For instance, JSONp requires a Web Service which supports insertion of JavaScript callbacks; furthermore, it requires you to trust the service provider completely as they have access to inject new scripts or activate your own JavaScript code at their wish, should they choose to abuse your trust (or naivety). So that rules out JSONp for all but the most trustworthy domains.
Likewise, Flash requires the activation of a cross-domain policy on the server you are trying to access remotely which expressly states that site’s trust of your domain. This can be done by placing your domain in a sort of white-list via a crossdomain.xml file at the root of their domain. This enables your domain to access data through Flash, or, the service provider may naively itself offers up access to their domain to everyone by default (i.e. YouTube, Yahoo!, Amazon, this site, etc).
As far as the server hacks, they require major extensions to be installed and rewriting access rules on your own server configurations (which you may or may not have full control of as a developer in a big enterprise, or, a user of payed hosting solutions). Last but not least are more modern approaches such as Cross-Origin Resource Sharing (CORS), which, while well-meaning in nature, still leave a lot to be desired, because the browsers put the sandboxes in place for a reason.
Here’s a nice graphical summary of it all:
Image courtesy of iluvrhinestones on flickr (CC:sa-by)
So that sets us up for the best go-to solution at this point.
The Server-Side Proxy
The Server-Side Proxy could be anything from a basic snippet of code required to receive a URL and make an HTTP request to it, to a complex authentication-based, whitelist-driven, data validating, usage-metered piece of complete software. You can write a proxy in just about any modern programming language that supports network access, but I’ve developed and collected several examples in some of the most popular programming languages, each with their own dependencies and advantages/shortcomings. In particular, compare the approaches available in HTML5 to other common web-based techniques of using Flash or JSONp.
See the full text links below:
PHP | Python | Perl | Ruby | Java (Servlet) | JSP | ASP.net | C# | C | C++ | Objective-C | LISP | Flash | AJAX (JSONp) | HTML5 | CSS
OR
UPDATE (2010-12-09):
Several of these proxies may be outdated against latest versions of each programming language, dependency libraries used, or, there just might be a better/more secure way of doing it, please help me to update the source code on snipplr!
Related Articles
- What is a Reverse Proxy and How Can it Help My SEO? (seomoz.org)
- EasyXDM – crossdomain javascript done right (zemanta.com)
- Why use a Javascript UI for Solr? (css.dzone.com)
- Using JSON for Private Data (mozilla.com)
- Using SignalR To Push StreamInsight Events to Client Browsers (seroter.wordpress.com)
An early Christmas present or homework for the holidays?
A yay or nay from world-renown...
Today something strange happened...
The full list of runners for the Moncton-to-Saint...Leave a Reply
No post with similar tags yet.
Posts in similar categories
- SkipSearch ALPHA released
The ALPHA version of SkipSearch has been released!!!
SkipSearch is a proprietary front-end to OpenRecommender, an open source recommendation engine. Its primary features include:
Easy-to-use Interface with hover-intent to reduce clicks, audio controls & shortcuts
Lightweight HTML5 / CSS3 layout
Mobile-friendly, responsive design
Schema.org properties and support for RDFa/Microformats
Import data from multiple accounts (Google/Yahoo/Microsoft/Twitter/Facebook/LinkedIN/Last.FM/StumbleUpon and other social media account integration)
Export functionality... - Top 10 Finish in MintChip Challenge: THANK YOU!
It is with great humility and gratitude that I announce that I have finished in the Top 10 of the Mintchip Challenge with my proposed application and idea that "A digital currency can be used for P2P barter and micropayments".
You can see the full list of finalists in the Mintchip Challenge here:
http://ideas.mintchipchallenge.com/
There were really some... - The Getting Started in JAVA Guide (That I Wish I Had In University)
History
Language
Installing
Examples
Compiling
Running
Programs
IDEs
The Java programming language is one of the most widely used and widely supported programming languages in the world (in terms of total number of devices and systems running it). Since its inception, it has also been the subject of several major lawsuits (i.e. Oracle .vs. Google, Google .vs. Oracle countersuit, US Gov .vs. Microsoft,... - P2P Barter – My entry to the MintChip Challenge
Here's an explanation of what we have today, followed by a Use-Case for my idea...
TODAY:
1. Person A is a farmer who has worked hard all season and is ready for harvest of their crops. For simplicity's sake, let's call him the "Seller", since the next step will be to sell their produce. For that they... - FOAF and the Facebook Death Star
Since the February confirmation of the Facebook IPO, Facebook has continued to stagnate in user-base yet as an organization it holds no punches as it attempts to grow internationally, and its stock price continues to soar as Class A shares finally open up to the average person (major investment firms had first dibs at the... - Unboxing the MintChip
The Royal Canadian Mint(RCM) has sponsored the MintChip Challenge 2012 in an effort to attract developers to the idea of developing software for the MintChip and giving away their best financial application ideas, basically, for free (on the long-shot that you are one of the few who win).
Starting April 1st, 2012, they began mailing out... - Popcorn.js + Embedded Video = Semantically Enhanced Video Content
Popcorn.js is an incredibly useful framework for adding timing-based events and/to Semantic metadata to rich content.
According to Mozilla: "Popcorn makes video work like the web. We create tools and programs to help developers and authors create interactive pages that supplement video and audio with rich web content, allowing your creations to live and grow online."
With... - Cross-Platform Social Media Sharing Tool
Social media has taken over the web (for now) and the name of the game is sharing, something legislation like SOPA and PIPA just didn't seem to understand. Rather than figuring out a new economic model based on the reality of sharing on the web, that rewards this type of activity (which is essentially just... - iScroll with HTML5 Video and Pause/Resume
iScroll 4 is the latest version and release of an excellent content slider-type JavaScript component by Matteo Spinelli. While one may argue that content sliders are a dime a dozen, iScroll differs in the fact that it has full support for all the main WebKit for iOS gestures including pinch/zoom, pull-up/pull-down, smooth scrolling and screen... - Sports Stats API feeds evaluated: ChalkGaming wins
Well, I've decided to give this one away in the title, since the good folks over at ChalkGaming helped me out quite a bit while consulting with a big client who wanted to integrate Sports Stats into their Online Newspaper properties.
Requirement
Create a sports widget to display quality sports data (including: schedules, box scores, standings, betting...
BC$ = Behavior, Content, Money
The goal of the BC$ project is to raise awareness and make changes with respect to the three pillars of information freedom - Behavior (pursuit of interests and passions), Content (sharing/exchanging ideas in various formats), Money (fairness and accessibility) - bringing to light the fact that:
1. We regularly hand over our browser histories, search histories and daily online activities to companies that want our money, or, to benefit from our use of their services with lucrative ad deals or sales of personal information.
2. We create and/or consume interesting content on their services, but we aren't adequately rewarded for our creative efforts or loyalty.
3. We pay money to be connected online (and possibly also over mobile), yet we lose both time and money by allowing companies to market to us with unsolicited advertisements, irrelevant product offers and unfairly structured service pricing plans.