Cross-domain XHR/AJAX : a possible workaround?

Question

I just had an idea to make cross-domain AJAX calls, because so far they really are a PITA to deal with. This is a solution I haven\'t seen exposed anywhere on the web, so it mig

Answer 1

This is workable but keep in mind that you're allowing your server to be told, by a client, what data to download. Depending on your implementation, it could be fairly harmless but it could easily bite you in the ass if it's not secured (perhaps limit it to very specific domains?).

For instance, someone could send multiple requests to your handler that returns, say, a Linux ISO or something illegal.

Answer 2

Nothing wrong with that. I use that trick in my AJAX requests.

Answer 3

I imagine you've already thought of some of these, but just in case not

1. If you aren't doing any kind of authentication with your server-side XHR pass-through, you might want to limit what URLs can be called and parse the params for any extra-weird XSS opportunities this presents.

2. The latency increase might put a strain on your webserver since it could be holding the request/response threads longer waiting for a cURL response to comeback (unless you're doing somekind of extra async architecture). Caching the cURL response might be preferrable, but depending on how many variations of your POST'ed parameters you might encounter, that might not be an option.

I'm sure there are others depending on your application, but I will go ahead and say that I'm doing something like this but only because I pay for an external API that I don't want to expose directly to my AJAX application... so I've pretty heavily abstracted the calls, and limit them to pretty much a single external URL.