This post is article 19 from the 30 Articles App series for SharePoint
In this article, I will discuss about Cross-Domain Calls, what are they and how to make it happen for Apps.
What is Cross-Domain Call?
Cross-Site Request Forgery is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf, like change the victim’s e-mail address, home address, or password, or purchase something. these type of attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.
By default, browsers block this type of communication for security reasons; they don’t want malicious apps to grab data or execute code without users knowing it.
What to do when your app actually wants to make safe and trusted cross-domain call?
The App model for SharePoint and remote-hosting options easily put developers to face cross-domain challenges. So how to achieve this trusted and secure connection? Well SharePoint offers Cross-Domain JS library SP.RequestExecutor.js which you can find in LAYOUTS directory. By utilizing this library, your app can incorporate information from SharePoint into your app and from your app it’s been utilized it to other web apps.
How does it actually work?
Your app will also need permission to make cross-domain calls and also have to have registration for the “allowed domains”.
Check the next article to know more about how to implement cross-domain calls in SharePoint Apps.
2 thoughts on “Article 19 from 30 : Understanding Cross Domain calls”
Thank you for a very clear write up.
You wrote: By default, browsers block this type of communication for security reasons; they don’t want malicious apps to grab data or execute code without users knowing it.
This is technically correct but developers should also be aware that modern browsers will support cross domain calls to HTTP Endpoints which support the CORS standard [ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing ] without all of this IFram and PostMessage overhead. Only a limited number of public endpoints support this standard but if you own the endpoints CORS is simple to implement on the server side using tools like Microsoft’s WEB API
Nice serie! Thanks
Comments are closed.