A few years back when one website had to post form to another site of either different domain or different subdomain, the options were few and non-elegant.
Recently we had this situation and find that CORS is probably the best option for reasonable usage. We had a situation, where the whole presentation is rendered using backbone. The server responded with a JSON, which was then painted by the JS frameworks,
In this, we had to -conditionally- bring up authentication form. This authentication was handled by a different system. The system could be trusted.
Did a brief study of the possible approaches and found CORS the best option. Below is the comparision table.
Recently we had this situation and find that CORS is probably the best option for reasonable usage. We had a situation, where the whole presentation is rendered using backbone. The server responded with a JSON, which was then painted by the JS frameworks,
In this, we had to -conditionally- bring up authentication form. This authentication was handled by a different system. The system could be trusted.
Did a brief study of the possible approaches and found CORS the best option. Below is the comparision table.
| Approaches | CORS | JSONP | Reverse Proxy |
| 1 liner on the approach | New
HTML 5 feature which allows setting of header attribute to indicate cross
site requests. In the technology groups this is preferred over JSONP |
JSON Padding, here we provide a callback function, which is invoked after the remote call | Write redirect rule in webserver configuration |
| How to implement | Set
the request header attribute with the "Allow-Access-Origin" Settings in webserver to allow the domain |
1.
Specify Callback function as part of form action 2.Provide implementation of the callback function |
Write redirect rule in webserver configuration |
| Security | Is
secure when the systems involved are secure and the access is limited to
certain domains . Its possible to set it to "*" - allow all other
sites to access, which should not be used Additionally, every single request has to specify the header so it is fully with the developer to enable or disable this access and not at IT team's discretion |
1. The callback function should evaluate the parameters before acting on them this will make the approach secure | Secure |
| Performance | No impact | depends on callback function implementation, but should not impact | No Impact |
| Maintainence | Simple | Medium( callback function holds the key on what is happening once the response comes back) | Complex (developer has to dig into webserver redirect rules to identify / debug, unit testing is complex) |
| Support in Jquery | Supported in Jquery 1.7 | Supported in Jquery | Not applicable |
| Drawbacks | None In terms of browser support here is what is present in wikipedia(https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support) |
Can
only do GET and no POST Its more like a trick to get through same origin browser policy Error handling is not neat, the only way of handling Errors is through timeouts |
1.
This is very tricky 2.Webserver redirect rules are not easy to test and can cause unforseen impact |
No comments:
Post a Comment