The importance of the proxy for Ajax
Asynchronous JavaScriptTM and XML (Ajax) communication
methods include XMLHttpRequest (XHR) and IFrame requests. These methods
allow the browser to send HTTP requests to a server at any time with or
without a user action. One limitation of an IFrame or XHR request is
the restriction to make a request to a different server other than the one that
served the original HTML page. This limitation is sometimes known as a
same-domain limitation and exists as a security measure to prevent
hacker from injecting a malicious script by redirecting the page to an untrusted server.
However, an Ajax-based Web application might need to make a request to
a server that is different than the server that served the main HTML
page. Client-side methods exist to work around the same-domain
limitation, but these methods have limitations.To resolve the same-domain limitation, use a proxy server to forward the request
to a server on a different domain. An example of proxy server
use is shown in the following diagram:
The need for a solution for the same-domain restriction is
amplified when using Ajax techniques. Ajax techniques can involve XHR
or IFrame requests to server-side services. An Ajax application that
collects data from multiple sources or services and combines them into
one cohesive view is called a mashup. As an Ajax-enabled application,
or mashup, accesses more services to gather data and as mashup usage
increases, there is an increased chance that Ajax applications must access a cross-domain service. The cross-domain service that
needs to be accessed might be a third-party service or an internal service
running on a different domain or port.
Alternative methods exist that support a browser to
access cross-domain server. Mozilla-based browsers can use signed
scripts to support cross-domain access. Signed scripts have some key
limitations including limited browser availability and security warnings.
Other proxy alternatives for cross-domain access include on-demand scripting, cross-domain scripting, a JavaScript Object Notation with Padding (JSONP) technique, or several other methods. Services must be written to take advantage of
these browser techniques. You must also consider any possible security
implications when using these techniques.
Choosing to proxy Ajax requests instead of using a client-side, browser-based proxy alternative can be beneficial. A
proxy server can be configured to only support access to certain Web
sites whereas a browser-based solution does not have the ability to restrict cross-domain access on a per server basis. Another proxy
server benefit is content filtering from a third-party site. One form of content filtering would be configuring a proxy server to only return content from a third-party Web site if it matches a permissible content type. A final benefit is using the proxy server to convert
response data to a format a Web application expects. A proxy server
converting a Web service response from XML to JavaScript Object
Notation (JSON) for consumption by a browser is an example of a proxy
server converting data.