Uploaded byefim13
PPTX, PDF1,336 views

Stay Out Please

Itai Koren discusses the challenges of modern web applications, particularly concerning the Same Origin Policy and cross-domain communication. He highlights JSONP and CORS as solutions, while also introducing 'lpajax,' a self-contained transport layer developed at LivePerson, which supports various methods to enhance communication. The presentation concludes with insights on implementing lpajax in conjunction with Backbone.js, offering custom configurations for AJAX requests.

Embed presentation

Downloaded 90 times
Stay Out Please Itai Koren | July 2013 Framework Frontend Team @LivePerson
Who am I? Itai Koren Tech-savvy Engineer @LivePerson A Programmer itaik@liveperson.com
Who am I? ā€œProgrammer - an organism that turns coffee into software.ā€ - Author Unknown
Who am I? ~10 x Cups === feature
Who am I? LivePerson Framework Frontend Team
Todayā€™s Web Applications Todayā€™s web applications/platforms are more than just websites
Todayā€™s Web Applications Javascript SDKā€™s/APIā€™s
Todayā€™s Web Applications
Todayā€™s Web Applications
Todayā€™s Web Applications
Todayā€™s Web Applications
Todayā€™s Web Applications Widgets
Todayā€™s Web Applications
Todayā€™s Web Applications
Todayā€™s Web Applications ā€œLearning JavaScript used to mean you weren't a serious software developer. Today, not learning Javascript means the same thing.ā€ - Jens Ohlig
Stay Out Please XMLHttpRequest api.lpprod.net Backbone jQuery as transport
Stay Out Please S O Ptay ut leaseame rigin olicy
Same Origin Policy ā€¢ Important security concept within modern browsers ā€¢ Originally released with Netscape Navigator 2 (March 1996) ā€¢ Permits script tags, images, css from any site (origin) ā€¢ Permits XHR only from the same site (origin) ā€¢ Prevents access to most methods and properties across different sites (origins)
Same Origin Policy So which solution can we use?
Todayā€™s Web Applications ā€œA good programmer is someone who always looks both ways before crossing a one-way street.ā€ - Doug Linder
Same Origin Policy We can always use JSONP WOT?
JSONP ā€¢ Stands for JSON with Padding ā€¢ Script tags are exception to the Same Origin Policy ā€¢ Just loading a script with JSON data cannot help us (will be lost in the global context) ā€¢ The padding allows us to wrap the result with a global callback ā€¢ The response will be evaluated by the JavaScript interpreter and invoked
JSONP So, we can always use JSONP BUTā€¦
Why not use JSONP? ā€¢ Only valid for GET requests ā€¢ Limited payload size ā€¢ Not flexible (no headers etc.) ā€¢ Insecure ā€¢ Causes IE to leak memory (most implementations)
Same Origin Policy What about CORS?
CORS ā€¢ Stands for Cross Origin Resource Sharing ā€¢ A W3C spec that allows cross-domain communication from the browser ā€¢ Defines a way to determine whether or not to allow the cross-origin request ā€¢ Works by adding new HTTP headers
CORS So what about CORS?
Why not use CORS? ā€¢ Only IE9+ support it natively (IE8 only via XDomainRequest) ā€¢ Requires ā€œpreflightsā€ for requests other than GET or POST (with certain MIME types) and for JSON.
Same Origin Policy So, we will probably have to use proxy WAIT!!!
Stay Out Please S O Ptay riginal leaseame rigin olicy
lpAjax to the rescue ā€¢ Developed in LivePerson ā€¢ Self contained (Vanilla JS) ā€¢ Easy to use ā€¢ Used by entire LivePerson clients as a transport layer ā€¢ Supports three main transport types: XHR, JSONP AND postMessage
Browser to server communications url.com api.liveperson.com api.liveperson.com/pm.html lpAjax postmessage client pm.html Postmessage server xhr
lpAjax postMessage ā€¢ It works!!! ā€¢ Almost as fast as JSONP ā€¢ Can work with REST APIā€™S ā€¢ Very small latency for first API call (iframe creation) ā€¢ Small latency for serialization of data for use with postMessage ā€¢ Beware: 401 Response Codes & failed requests issues
Browser Support ā€¢ Firefox >= 3 ā€¢ Safari >= 4 ā€¢ Chrome ā€¢ Opera >= 9 ā€¢ IE >= 8
lpAjax postMessage And there is even a shim/polyfill for IE7 window.nameā€¦ (limited to 2MB only ļŠ)
lpAjax postMessage Cool I am convinced BUT, how can I use it with Backbone
Backbone with lpAjax postMessage ā€¢ Backbone utilizes jQuery as a transport ā€¢ jQuery allows us to manipulate ajax transports at multiple levels ā€¢ $.ajaxPrefilters - Handle custom options/modify existing options before request is processed by $.ajax() ā€¢ $.ajaxTransport - Creates an object that handles the actual transmission of Ajax data and used by $.ajax() to issue requests ā€¢ Converters ā€“ to manipulate and parse the data returned from the response
Our custom ajaxPrefilter // Register jQuery Ajax Prefilter that detects cross-domain requests and set the request data-type to "postmessage". $.ajaxPrefilter(function (options, originalOptions, jqXHR) { // Get our current origin var originBrowser = window.location; // Get the API url origin var originApi = document.createElement("a"); originApi.href = options.url; // Skip Same Origin API URL's if (originApi.hostname == originBrowser.hostname && originApi.port == originBrowser.port && originApi.protocol == originBrowser.protocol) { return; } // If the domains aren't the same and this isn't a jsonp request, force the data-type of the request to "postmessage". if ("jsonp" !== options.dataType.toLowerCase()) { // Redirect to our ā€œpostmessageā€ temporary transport type return "postmessage"; } });
Our ajaxTransport Implementation // Create the postmessage transport handler (which will proxy the request to lpAjax) and register it for handling postmessage // (the '+' forces overriding any existing implementations for a transport). $.ajaxTransport("+postmessage", function (options, originalOptions, jqXHR) { // Remove the temporary transport dataType options.dataTypes.shift(); return { send:function (requestHeaders, done) { // Build the request object based on what jQuery created for us so far var req = $.extend({}, lpTag.taglets.lpAjax_request); req.headers = requestHeaders; req.method = originalOptions.type; req.data = originalOptions.data; req.url = options.url; // Implement the success and error handlers req.success = function (data) { handlePostMessageResponse(data, done); }; req.error = function (data) { handlePostMessageResponse(data, done); }; // Issue the request using lpAjax postMessage. lpAjax.postmessage.issueCall(req); }, abort:function () {} }; }));
Implement the response handler // Create the response handler for lpAjax to call var handlePostMessageResponse = function (data, done) { // Do any parsing on the response if needed - Here I do nothing for simplicity // Now call the jQuery callback to return the response to jQuery handling done( data.code, // status, data.status, // nativeStatusText, data.body, // responses, data.headers // headers ); };
Backbone with lpAjax postMessage ā€œIf you canā€™t explain it simply, you donā€™t understand it well enough.ā€ -Leonardo Da Vinci
Q&A itaik@liveperson.com Want to work on cool stuff like this? Questions?
Thank You

More Related Content

PPTX
The JSON REST API for WordPress
byTaylor Lovett
Ā 
PDF
JSON REST API for WordPress
byTaylor Lovett
Ā 
PDF
Apache Sling as an OSGi-powered REST middleware
byRobert Munteanu
Ā 
PPTX
Building Your First App with MongoDB
byMongoDB
Ā 
PPT
Krug Fat Client
byPaul Klipp
Ā 
PDF
Mojolicious and REST
byJonas BrĆømsĆø
Ā 
PDF
Spring Web Services: SOAP vs. REST
bySam Brannen
Ā 
PPTX
Day 9 - PostgreSQL Application Architecture
byBarry Jones
Ā 
The JSON REST API for WordPress
byTaylor Lovett
Ā 
JSON REST API for WordPress
byTaylor Lovett
Ā 
Apache Sling as an OSGi-powered REST middleware
byRobert Munteanu
Ā 
Building Your First App with MongoDB
byMongoDB
Ā 
Krug Fat Client
byPaul Klipp
Ā 
Mojolicious and REST
byJonas BrĆømsĆø
Ā 
Spring Web Services: SOAP vs. REST
bySam Brannen
Ā 
Day 9 - PostgreSQL Application Architecture
byBarry Jones
Ā 

What's hot

PDF
Real World Fun with ActiveResource
byRob C
Ā 
PDF
Ancient To Modern: Upgrading nearly a decade of Plone in public radio
byCristopher Ewing
Ā 
PDF
Consuming REST services with ActiveResource
byWolfram Arnold
Ā 
PPTX
I18nize Scala programs aĢ€ la gettext
byNgoc Dao
Ā 
PDF
Building an API with Django and Django REST Framework
byChristopher Foresman
Ā 
PPTX
REST and ASP.NET Web API (Milan)
byJef Claes
Ā 
PDF
Skinny Framework Progress Situation
byKazuhiro Sera
Ā 
KEY
REST Easy - Building RESTful Services in Zend Framework
byChris Weldon
Ā 
PDF
Flickr Architecture Presentation
byeraz
Ā 
PPTX
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
byreneechemel
Ā 
PPTX
Introduction to RESTful Webservices in JAVA
bypsrpatnaik
Ā 
PDF
RESTFul development with Apache sling
bySergii Fesenko
Ā 
PPTX
Automating Your Daily Tasks with Scripting - RubyConf 2015 Taiwan
byAdler Hsieh
Ā 
PDF
Rest with Spring
byEugen Paraschiv
Ā 
PDF
Dynamic content generation
byEleonora Ciceri
Ā 
PDF
Jinx - Malware 2.0
byItzik Kotler
Ā 
PPTX
Django rest framework
byBlank Chen
Ā 
PDF
Angularjs & REST
byCorley S.r.l.
Ā 
PDF
Developing OpenResty Framework
byOpenRestyCon
Ā 
PPTX
Designing REST services with Spring MVC
bySerhii Kartashov
Ā 
Real World Fun with ActiveResource
byRob C
Ā 
Ancient To Modern: Upgrading nearly a decade of Plone in public radio
byCristopher Ewing
Ā 
Consuming REST services with ActiveResource
byWolfram Arnold
Ā 
I18nize Scala programs aĢ€ la gettext
byNgoc Dao
Ā 
Building an API with Django and Django REST Framework
byChristopher Foresman
Ā 
REST and ASP.NET Web API (Milan)
byJef Claes
Ā 
Skinny Framework Progress Situation
byKazuhiro Sera
Ā 
REST Easy - Building RESTful Services in Zend Framework
byChris Weldon
Ā 
Flickr Architecture Presentation
byeraz
Ā 
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
byreneechemel
Ā 
Introduction to RESTful Webservices in JAVA
bypsrpatnaik
Ā 
RESTFul development with Apache sling
bySergii Fesenko
Ā 
Automating Your Daily Tasks with Scripting - RubyConf 2015 Taiwan
byAdler Hsieh
Ā 
Rest with Spring
byEugen Paraschiv
Ā 
Dynamic content generation
byEleonora Ciceri
Ā 
Jinx - Malware 2.0
byItzik Kotler
Ā 
Django rest framework
byBlank Chen
Ā 
Angularjs & REST
byCorley S.r.l.
Ā 
Developing OpenResty Framework
byOpenRestyCon
Ā 
Designing REST services with Spring MVC
bySerhii Kartashov
Ā 

Viewers also liked

PDF
Most dangerous searchterm_us
byAngeline KH
Ā 
PPT
IT103Microsoft Windows XP/OS Chap08
byblusmurfydot1
Ā 
PPT
IT103Microsoft Windows XP/OS Chap11
byblusmurfydot1
Ā 
PPT
IT103Microsoft Windows XP/OS Chap13
byblusmurfydot1
Ā 
PDF
DTA 2011 REV B
bytynanderek
Ā 
PPT
IT103Microsoft Windows XP/OS Chap14
byblusmurfydot1
Ā 
PPSX
Aparato circulatorio
byEuler Ruiz
Ā 
PDF
La energia y la relacion con el desarrollo tecnologico
byEuler Ruiz
Ā 
PPTX
Organizadores
bybernardo55
Ā 
PPT
IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10
byblusmurfydot1
Ā 
PPTX
Javascript for Wep Apps
byMichael Puckett
Ā 
PPT
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
byblusmurfydot1
Ā 
PPTX
Assistive technology
bykturne10
Ā 
PDF
El pensamiento positivo y la mente humana
byEuler Ruiz
Ā 
PPTX
La computadora
bysilovera
Ā 
PPT
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 08
byblusmurfydot1
Ā 
PPSX
Zonas erroneas y la salud mental
byEuler Ruiz
Ā 
PPTX
Building Advanced Web UI in The Enterprise World
byefim13
Ā 
PDF
Parking hormigon prefabricado
byCAMPUS11
Ā 
PPT
Itt operating systems unit 05 lesson 06
byblusmurfydot1
Ā 
Most dangerous searchterm_us
byAngeline KH
Ā 
IT103Microsoft Windows XP/OS Chap08
byblusmurfydot1
Ā 
IT103Microsoft Windows XP/OS Chap11
byblusmurfydot1
Ā 
IT103Microsoft Windows XP/OS Chap13
byblusmurfydot1
Ā 
DTA 2011 REV B
bytynanderek
Ā 
IT103Microsoft Windows XP/OS Chap14
byblusmurfydot1
Ā 
Aparato circulatorio
byEuler Ruiz
Ā 
La energia y la relacion con el desarrollo tecnologico
byEuler Ruiz
Ā 
Organizadores
bybernardo55
Ā 
IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10
byblusmurfydot1
Ā 
Javascript for Wep Apps
byMichael Puckett
Ā 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
byblusmurfydot1
Ā 
Assistive technology
bykturne10
Ā 
El pensamiento positivo y la mente humana
byEuler Ruiz
Ā 
La computadora
bysilovera
Ā 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 08
byblusmurfydot1
Ā 
Zonas erroneas y la salud mental
byEuler Ruiz
Ā 
Building Advanced Web UI in The Enterprise World
byefim13
Ā 
Parking hormigon prefabricado
byCAMPUS11
Ā 
Itt operating systems unit 05 lesson 06
byblusmurfydot1
Ā 

Similar to Stay Out Please

PDF
Javascript cross domain communication
byChenKuo Chen
Ā 
KEY
Message in a Bottle
byZohar Arad
Ā 
PPT
Breaking The Cross Domain Barrier
byAlex Sexton
Ā 
PDF
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Š®Ń€ŠøŠ¹ Š§Š°Š¹ŠŗŠ¾Š²...
byGeeksLab Odessa
Ā 
PDF
08 ajax
byYnon Perek
Ā 
PDF
Using Communication and Messaging API in the HTML5 World
byGil Fink
Ā 
PPTX
Browser Internals-Same Origin Policy
byKrishna T
Ā 
PDF
HTML5/JavaScript Communication APIs - DPC 2014
byChristian Wenz
Ā 
PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
byIvo Andreev
Ā 
PDF
The Same-Origin Policy
byFabrizio Farinacci
Ā 
PDF
AJAX - An introduction
byEleonora Ciceri
Ā 
PDF
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
byCodemotion Tel Aviv
Ā 
PDF
Cross Origin Communication (CORS)
byRay Nicholus
Ā 
PDF
AJAX Transport Layer
bySiarhei Barysiuk
Ā 
PPTX
Web Security - Cookies, Domains and CORS
byPerfectial, LLC
Ā 
PPT
Ajax
byRathan Raj
Ā 
PDF
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
Ā 
PPTX
Secure web messaging in HTML5
byKrishna T
Ā 
PPTX
JSON based CSRF
byAmit Dubey
Ā 
PPTX
Introduction to Web Architecture
byChamnap Chhorn
Ā 
Javascript cross domain communication
byChenKuo Chen
Ā 
Message in a Bottle
byZohar Arad
Ā 
Breaking The Cross Domain Barrier
byAlex Sexton
Ā 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Š®Ń€ŠøŠ¹ Š§Š°Š¹ŠŗŠ¾Š²...
byGeeksLab Odessa
Ā 
08 ajax
byYnon Perek
Ā 
Using Communication and Messaging API in the HTML5 World
byGil Fink
Ā 
Browser Internals-Same Origin Policy
byKrishna T
Ā 
HTML5/JavaScript Communication APIs - DPC 2014
byChristian Wenz
Ā 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
byIvo Andreev
Ā 
The Same-Origin Policy
byFabrizio Farinacci
Ā 
AJAX - An introduction
byEleonora Ciceri
Ā 
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
byCodemotion Tel Aviv
Ā 
Cross Origin Communication (CORS)
byRay Nicholus
Ā 
AJAX Transport Layer
bySiarhei Barysiuk
Ā 
Web Security - Cookies, Domains and CORS
byPerfectial, LLC
Ā 
Ajax
byRathan Raj
Ā 
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
Ā 
Secure web messaging in HTML5
byKrishna T
Ā 
JSON based CSRF
byAmit Dubey
Ā 
Introduction to Web Architecture
byChamnap Chhorn
Ā 

Recently uploaded

PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
Ā 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
Ā 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
Ā 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
Ā 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupŔčini IEEE Slovenija ...
byUniversity of Maribor
Ā 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
Ā 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
Ā 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
Ā 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
Ā 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
Ā 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
Ā 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
Ā 
PDF
Track Phone Location via Number (2026)_ What Actually Works, Whatā€™s a Scam, a...
byEmily Woods
Ā 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
Ā 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
Ā 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
Ā 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
Ā 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isnā€™t really...
byapidays
Ā 
PDF
Track Phone Location by Number (2026)_ Whatā€™s Actually Possible for Free (and...
byEmily Woods
Ā 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
Ā 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
Ā 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
Ā 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
Ā 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupŔčini IEEE Slovenija ...
byUniversity of Maribor
Ā 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
Ā 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
Ā 
AI and Zero Trust: What it takes to do it right
byMark Simos
Ā 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
Ā 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
Ā 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
Ā 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
Ā 
Track Phone Location via Number (2026)_ What Actually Works, Whatā€™s a Scam, a...
byEmily Woods
Ā 
Designing a Blog Using Wordpress
bymarkzubi50
Ā 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
Ā 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
Ā 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
Ā 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isnā€™t really...
byapidays
Ā 
Track Phone Location by Number (2026)_ Whatā€™s Actually Possible for Free (and...
byEmily Woods
Ā 

Stay Out Please

  • 1.
    Stay Out Please ItaiKoren | July 2013 Framework Frontend Team @LivePerson
  • 2.
    Who am I? ItaiKoren Tech-savvy Engineer @LivePerson A Programmer itaik@liveperson.com
  • 3.
    Who am I? ā€œProgrammer- an organism that turns coffee into software.ā€ - Author Unknown
  • 4.
    Who am I? ~10x Cups === feature
  • 5.
    Who am I? LivePersonFramework Frontend Team
  • 6.
    Todayā€™s Web Applications Todayā€™sweb applications/platforms are more than just websites
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
    Todayā€™s Web Applications ā€œLearningJavaScript used to mean you weren't a serious software developer. Today, not learning Javascript means the same thing.ā€ - Jens Ohlig
  • 16.
  • 17.
    Stay Out Please SO Ptay ut leaseame rigin olicy
  • 18.
    Same Origin Policy ā€¢Important security concept within modern browsers ā€¢ Originally released with Netscape Navigator 2 (March 1996) ā€¢ Permits script tags, images, css from any site (origin) ā€¢ Permits XHR only from the same site (origin) ā€¢ Prevents access to most methods and properties across different sites (origins)
  • 19.
    Same Origin Policy Sowhich solution can we use?
  • 20.
    Todayā€™s Web Applications ā€œAgood programmer is someone who always looks both ways before crossing a one-way street.ā€ - Doug Linder
  • 21.
    Same Origin Policy Wecan always use JSONP WOT?
  • 22.
    JSONP ā€¢ Stands forJSON with Padding ā€¢ Script tags are exception to the Same Origin Policy ā€¢ Just loading a script with JSON data cannot help us (will be lost in the global context) ā€¢ The padding allows us to wrap the result with a global callback ā€¢ The response will be evaluated by the JavaScript interpreter and invoked
  • 23.
    JSONP So, we canalways use JSONP BUTā€¦
  • 24.
    Why not useJSONP? ā€¢ Only valid for GET requests ā€¢ Limited payload size ā€¢ Not flexible (no headers etc.) ā€¢ Insecure ā€¢ Causes IE to leak memory (most implementations)
  • 25.
  • 26.
    CORS ā€¢ Stands forCross Origin Resource Sharing ā€¢ A W3C spec that allows cross-domain communication from the browser ā€¢ Defines a way to determine whether or not to allow the cross-origin request ā€¢ Works by adding new HTTP headers
  • 27.
  • 28.
    Why not useCORS? ā€¢ Only IE9+ support it natively (IE8 only via XDomainRequest) ā€¢ Requires ā€œpreflightsā€ for requests other than GET or POST (with certain MIME types) and for JSON.
  • 29.
    Same Origin Policy So,we will probably have to use proxy WAIT!!!
  • 30.
    Stay Out Please SO Ptay riginal leaseame rigin olicy
  • 31.
    lpAjax to therescue ā€¢ Developed in LivePerson ā€¢ Self contained (Vanilla JS) ā€¢ Easy to use ā€¢ Used by entire LivePerson clients as a transport layer ā€¢ Supports three main transport types: XHR, JSONP AND postMessage
  • 32.
    Browser to servercommunications url.com api.liveperson.com api.liveperson.com/pm.html lpAjax postmessage client pm.html Postmessage server xhr
  • 33.
    lpAjax postMessage ā€¢ Itworks!!! ā€¢ Almost as fast as JSONP ā€¢ Can work with REST APIā€™S ā€¢ Very small latency for first API call (iframe creation) ā€¢ Small latency for serialization of data for use with postMessage ā€¢ Beware: 401 Response Codes & failed requests issues
  • 34.
    Browser Support ā€¢ Firefox>= 3 ā€¢ Safari >= 4 ā€¢ Chrome ā€¢ Opera >= 9 ā€¢ IE >= 8
  • 35.
    lpAjax postMessage And thereis even a shim/polyfill for IE7 window.nameā€¦ (limited to 2MB only ļŠ)
  • 36.
    lpAjax postMessage Cool I amconvinced BUT, how can I use it with Backbone
  • 37.
    Backbone with lpAjaxpostMessage ā€¢ Backbone utilizes jQuery as a transport ā€¢ jQuery allows us to manipulate ajax transports at multiple levels ā€¢ $.ajaxPrefilters - Handle custom options/modify existing options before request is processed by $.ajax() ā€¢ $.ajaxTransport - Creates an object that handles the actual transmission of Ajax data and used by $.ajax() to issue requests ā€¢ Converters ā€“ to manipulate and parse the data returned from the response
  • 38.
    Our custom ajaxPrefilter //Register jQuery Ajax Prefilter that detects cross-domain requests and set the request data-type to "postmessage". $.ajaxPrefilter(function (options, originalOptions, jqXHR) { // Get our current origin var originBrowser = window.location; // Get the API url origin var originApi = document.createElement("a"); originApi.href = options.url; // Skip Same Origin API URL's if (originApi.hostname == originBrowser.hostname && originApi.port == originBrowser.port && originApi.protocol == originBrowser.protocol) { return; } // If the domains aren't the same and this isn't a jsonp request, force the data-type of the request to "postmessage". if ("jsonp" !== options.dataType.toLowerCase()) { // Redirect to our ā€œpostmessageā€ temporary transport type return "postmessage"; } });
  • 39.
    Our ajaxTransport Implementation //Create the postmessage transport handler (which will proxy the request to lpAjax) and register it for handling postmessage // (the '+' forces overriding any existing implementations for a transport). $.ajaxTransport("+postmessage", function (options, originalOptions, jqXHR) { // Remove the temporary transport dataType options.dataTypes.shift(); return { send:function (requestHeaders, done) { // Build the request object based on what jQuery created for us so far var req = $.extend({}, lpTag.taglets.lpAjax_request); req.headers = requestHeaders; req.method = originalOptions.type; req.data = originalOptions.data; req.url = options.url; // Implement the success and error handlers req.success = function (data) { handlePostMessageResponse(data, done); }; req.error = function (data) { handlePostMessageResponse(data, done); }; // Issue the request using lpAjax postMessage. lpAjax.postmessage.issueCall(req); }, abort:function () {} }; }));
  • 40.
    Implement the responsehandler // Create the response handler for lpAjax to call var handlePostMessageResponse = function (data, done) { // Do any parsing on the response if needed - Here I do nothing for simplicity // Now call the jQuery callback to return the response to jQuery handling done( data.code, // status, data.status, // nativeStatusText, data.body, // responses, data.headers // headers ); };
  • 41.
    Backbone with lpAjaxpostMessage ā€œIf you canā€™t explain it simply, you donā€™t understand it well enough.ā€ -Leonardo Da Vinci
  • 42.
    Q&A itaik@liveperson.com Want to workon cool stuff like this? Questions?
  • 43.

Editor's Notes

  • #2Ā Ido
  • #22Ā IE<=8 leaks 4kb each request
  • #25Ā IE<=8 leaks 4kb each request
  • #28Ā IE<=8 leaks 4kb each request
  • #29Ā Creates each domain iframe only onceThere are browsers which already support postMessage with objects (with no need for serialization)401 response code will cause the browser to pop up an authentication (can be fixed by overriding the default WWW-Authenticate: BasicĀ realm=ā€œxxxā€header) 8 consecutive failed requests from the same iframe will abort the iframe usage
  • #32Ā Creates each domain iframe only onceThere are browsers which already support postMessage with objects (with no need for serialization)401 response code will cause the browser to pop up an authentication (can be fixed by overriding the default WWW-Authenticate: BasicĀ realm=ā€œxxxā€header) 8 consecutive failed requests from the same iframe will abort the iframe usage
  • #33Ā Creates each domain iframe only onceThere are browsers which already support postMessage with objects (with no need for serialization)401 response code will cause the browser to pop up an authentication (can be fixed by overriding the default WWW-Authenticate: BasicĀ realm=ā€œxxxā€header) 8 consecutive failed requests from the same iframe will abort the iframe usage
  • #34Ā Creates each domain iframe only onceThere are browsers which already support postMessage with objects (with no need for serialization)401 response code will cause the browser to pop up an authentication (can be fixed by overriding the default WWW-Authenticate: BasicĀ realm=ā€œxxxā€header) 8 consecutive failed requests from the same iframe will abort the iframe usage
  • #35Ā Creates each domain iframe only onceThere are browsers which already support postMessage with objects (with no need for serialization)401 response code will cause the browser to pop up an authentication (can be fixed by overriding the default WWW-Authenticate: BasicĀ realm=ā€œxxxā€header) 8 consecutive failed requests from the same iframe will abort the iframe usage