[OSM-talk] OpenLayers and Proxy (was :Relation/Routes and Hikes in open Country)

Christopher Schmidt crschmidt at metacarta.com
Thu Jun 26 21:47:23 BST 2008 

On Thu, Jun 26, 2008 at 10:25:27PM +0200, Frederik Ramm wrote:
> Hi,
> 
> Thomas Wood wrote:
> > I think you're running into XSS limitations of browsers. You'll
> > probably need to proxy the request on the same domain thats hosting
> > the page.
> 
> Someone talked to me about this at the LinuxTag. He was adamant that our 
> API should support JSON (in addition to XML) as a return data format. He 
> said that a JSON message would be valid JavaScript and thus it could be 
> loaded <script>-like into a JavaScript app, circumventing the 
> same-origin policy that applies to XmlHttpRequest.

That's sort of true. (Specifically, your API has to support an arbitrary
'callback' parameter, to wrap the Javascript *object* in a function. At
least, that's how every service and all code I've used have done it.)

Note that this doesn't actually require that we stop returning XML: we
could return XML wrapped in a JSON response, and then just parse the xML
as a string (which OpenLayers has the ability to do); this would
eliminate the need for much code, just meaning you'd add a rails bit to
take ?callback= to mean 'wrap the XML in a string and a
function_call()'.

> I said why bother, people can easily proxy requests if they want, but he 
> said that there's a large group of possible users that wouldn't be able 
> to set up a proxy and for whom a JSON interface would be an absolute 
> requirement.

I agree that this is true.

> I don't even know if there was any merit to his ramblings, technically - 
> can you really dynamically load JOSN data from other hosts?

You can dynamically load Javascript from other hosts, and in that, you
can wrap up JSON. It is a commonly used technique, and since the
mechanism is the same as the mechanism by which Javascript *code* is
loaded, there's no differentiating between it and something like the
Google Maps API, or OpenLayers.

There are some security risks associated with this if you have private
data, but that doesn't apply to OSM -- there is no "GET" request that
requires authentication and provides non-public information, afaik.

Proxying isn't that hard. However, if you really don't have *any* server
side to work with -- think googlepages, other FTP-only hosting
mechanisms, etc. -- then it is true that data embedded in a Javascript
function call is a way to avoid cross-site restrictions. 

Regards,
-- 
Christopher Schmidt
MetaCarta

More information about the talk mailing list