Why do AFS Widgets require a proxy? - AFS

AFS Integration Guide

Reference Guide

AFS Widgets interact directly with AFS Web Services (Search, ACP, Click, CKS, ...) through HTTP requests that are executed by web browsers using the AJAX technology.

In web browsers, AJAX HTTP requests are constrained by a security rule, called Same Origin Policy. It prevents Javascript code from sending requests to another domain than the one of the current page.

The principle is simple: when a script has been downloaded from a domain, it assumes this domain is safe and thus can be requested through AJAX. Safe domains should not contain malicious scripts.

Many websites are vulnerable to XSS attacks. In a such attack, injected scripts cannot execute scripts using current page's data and sending them on other domains that can be malicious. The Same Origin Policy is aimed at limiting damages that can be caused by such attacks.

Unless AFS Web Services are installed in the same domain as the integration web site, a proxy is required to redirect requests to AFS Web Services.

Here is an example of proxy:

  • Assuming there is an AFS Widget integration at http://www.example.com/search.html
  • AFS Widgets need to access AFS Web Services on this same domain. A proxy is set to /afs/ and redirects to the AFS Server (for instance http://afs-services.com). AFS Widgets require the afsPath configuration to be set to /afs/. When AFS Widgets request http://www.example.com/afs/search?afs:service=555, requests are redirected to http://afs-services.com/search?afs:service=555 by the proxy.

But why do widgets such as the "like" Facebook button not require to set up a proxy?
These kinds of widgets (Facebook, Google Plus, Twitter, ...) use workarounds to bypass the Same Origin Policy. Either the button opens an iframe whose location is a page of the target domain) or their script creates an iframe whose source is also in the right domain. In both cases, AJAX queries can be executed to the right target.

To learn more about the Same Origin Policy, see:
- SOP for Javascript,
- http://en.wikipedia.org/wiki/Same_origin_policy.