The importance of the proxy for Ajax
The same domain limitation is a security measure for client-side scripting that does not allow a browser to trust content loaded from a Web page that does not originate from the original Web site.
Asynchronous JavaScriptâ„¢ and XML (Ajax) communication methods include XMLHttpRequest (XHR) and IFrame requests. These methods allow the browser to send HTTP requests to a server at any time with or without a user action. One limitation of an IFrame or XHR request is the restriction to make a request to a different server other than the one that served the original HTML page. This limitation is sometimes known as a same domain limitation and exists as a security measure to prevent hacker from injecting a malicious script by redirecting the page to an untrusted server. However, an Ajax-based Web application might need to make a request to a server that is different than the server that served the main HTML page. Client-side methods exist to work around the same-domain limitation, but these methods have limitations. The recommended solution to the same-domain limitation is to use a proxy server to forward the request to a server on a different domain. An example of proxy server use is shown in the following diagram:
The need for a solution for the same-domain restriction is amplified when using Ajax techniques. Ajax techniques can involve XHR or IFrame requests to server-side services. An Ajax application that collects data from multiple sources or services and combines them into one cohesive view is called a mashup. As an Ajax-enabled application, or mashup, accesses more services to gather data and as mashup usage increases, there is an increased chance that Ajax applications must access a cross-domain service. The cross-domain service that needs to be accessed might be a third-party service or an internal service running on a different domain or port.
Alternative methods exist that support a browser to access cross-domain server. Mozilla-based browsers can use signed scripts to support cross-domain access. Signed scripts have some key limitations including limited browser availability and security warnings. Other proxy alternatives for cross-domain access include on-demand scripting, cross-domain scripting, a JavaScript Object Notation with Padding (JSONP) technique, or several other methods. Services must be written to take advantage of these browser techniques. You must also consider any possible security implications when using these techniques.
Choosing to proxy Ajax requests instead of using a client-side, browser-based proxy alternative can be beneficial. A proxy server can be configured to only support access to certain Web sites whereas a browser-based solution does not have the ability to restrict cross-domain access on a per server basis. Another proxy server benefit is content filtering from a third-party site. One form of content filtering would be configuring a proxy server to only return content from a third-party Web site if it matches a permissible content type. A final benefit is using the proxy server to convert response data to a format a Web application expects. A proxy server converting a Web service response from XML to JavaScript Object Notation (JSON) for consumption by a browser is an example of a proxy server converting data.
Related tasks
Aggregating content from different sites
Creating Rich Internet Applications (RIA)