 |
| Introduction |
|
Netscape 6.1+/Mozilla 0.8.2+ and MSIE 5+ browsers ships with a native object
making it possible to implement HTTP request functionality from within a
page using javascript. In terms of the API design they are almost identical
(for once..), so scripting for cross-browser compability is relatively easy
in this case. The big difference here is that the Mozilla implementation has
a harsher security context. While MSIE's 'Microsoft.XMLHTTP' availability
is based on "Security Zones" and "Trusted Sites" defined by the browser
settings, Mozilla has taken another security approach, whereas you can only
issue XMLHttpRequests to the same domain:port from where the parent document
originated. While some might say this is feasible in regards for the variuos
cross-site scripting exploits, other find it very frustrating as they can't
access/incorporate services or data from the outside world into their web-apps
without having to depend on a through and through serverside solution, which
least to say severely cripples the Mozilla implementation in terms of
usability. rpcproxy is the cure.
|
| |
|
This piece came about as Ruben Daniels from
Virtual Cowboys
and I concurrently were struggling with
client-side Javascript implementations of XML-RPC clients. We found
ourselves very annoyed with these restrictions as we couldn't take advantage
of the increasing number of great RPC-services outthere, so I decided to
knock up this proxy-script to overcome this shortcoming.
|
| |
|
The idea is very simple. Once placed on your server, it will take a POST
request coming in from the local domain and pass it along as-is to the real
RPC-server and then proxy back the response to the client. As of version 1.40
rpcproxy will also perform gzip-compressing on the XML response-stream before
forwarding it back to the client making it far more manageable in terms of
bandwidth. A vanilla XML-document can be reduced with up to some 90% of its
original size simply by compressing it. Gzip-encoded documents are supported
by MSIE and Mozilla out of the box, so you don't have to care more about it
other than that you just gained about 9/10th's of bandwidth. If you are on
a slow connection that makes a notacible difference. But the most important
thing here, a request like this, as far as Mozilla and MSIE concerns,
no security exception has been raised since the request was seemingly
served at the local domain:port.
|
| |
|
| Security. |
|
This script will only proxy POST requests having an additional HTTP header
named X-Proxy-Request (or another of your own choice) containing the URL to
the real rpc-service. If this header isn't present OR the service-URL isn't
present in the list of ALLOWED services, rpcproxy will blackhole the request
and respond with a HTTP status 403 Forbidden. This efficiently disables
it from being used as a public/anonymous proxy or any other malicious purpose.
|
| |
|
In the end it's up to you to decide what URLs can be proxied. The list of
allowed URLs comes with a a few pre-defined known rpc-services to show you
the syntax. Remove these and/or add your own rpc-URLs.
|
| |
| MS Internet Explorer 5+ note. |
|
While utilizing rpcproxy.cgi as a proxy for Mozilla's XMLHttpRequest is
crucial for issuing remote HTTP requests, it also have the effect to MSIE
in the matter that the Microsoft.XMLHTTP object also consider requests to
the local domain:port as safe and will gladly go for it WITHOUT having this
domain-name present in the list of Trusted sites.
|
| |
| |
Copyright(c) 2001-2005 Saltstorm.
All rights reserved.