Article 19 from 30 : Understanding Cross Domain calls

This post is article 19 from the 30 Articles App series for SharePoint

In this article, I will discuss about Cross-Domain Calls, what are they and how to make it happen for Apps.

What is Cross-Domain Call?

As the name suggests whenever an app/programme wants to make client-side calls (for example, using JavaScript + XMLHttpRequest) from a page hosted in one domain (for example, http://www.domain_1.com/appPage.html) to a page or service hosted in a different domain (for example, http://domain_2.com) , it is called Cross-Domain call.

Cross-Site Request Forgery is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf, like change the victim’s e-mail address, home address, or password, or purchase something. these type of attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

By default, browsers block this type of communication for security reasons; they don’t want malicious apps to grab data or execute code without users knowing it. 

What to do when your app actually wants to make safe and trusted cross-domain call?

The App model for SharePoint and remote-hosting options easily put developers to face cross-domain challenges.  So how to achieve this trusted and secure connection? Well SharePoint offers Cross-Domain JS library SP.RequestExecutor.js which you can find in LAYOUTS directory. By utilizing this library, your app can incorporate information from SharePoint into your app and from your app it’s been utilized it to other web apps.

How does it actually work?

crossdomaincalls1

Behind the scene this JavaScript library uses hidden IFrame, PostMessage and proxy page to take care of making secure connection to SharePoint. This proxy page is responsible for forwarding calls to the underlined SharePoint infrastructure.

Your app will also need permission to make cross-domain calls and also have to have registration for the “allowed domains”.

Check the next article to know more about how to implement cross-domain calls in SharePoint Apps.

Advertisements

2 thoughts on “Article 19 from 30 : Understanding Cross Domain calls

  1. Thank you for a very clear write up.

    You wrote: By default, browsers block this type of communication for security reasons; they don’t want malicious apps to grab data or execute code without users knowing it.

    This is technically correct but developers should also be aware that modern browsers will support cross domain calls to HTTP Endpoints which support the CORS standard [ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing ] without all of this IFram and PostMessage overhead. Only a limited number of public endpoints support this standard but if you own the endpoints CORS is simple to implement on the server side using tools like Microsoft’s WEB API

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s