Anyone building a web application knows that XmlHttpRequest can only be made to the same domain and port that the page was loaded from. This is known as the ‘single origin’ policy for web browsers. Bypassing this restriction is known as Cross-Site Scripting or XSS. While there are some very real security reasons for only allowing a web page to access resources from its own domain and port, there are some really cool things that can be done when bypassing this restriction.
There are many client-side tricks to bypass the single origin policy: iframe name attributes, adding img tags to the DOM, even javascript compiled as PNGs (Firefox only).
YQL offers a server-side proxy service, and I’ve seen some PHP proxies on the web, but if you run Nginx it’s dead simple to make your own. I’ll use the Twitter API as an example.
Say you want to show twitter search results in a web page. You could register with Twitter and get an API key, make the search, cache the results and serve them to the user. It’s much easer to just proxy the request with Nginx like this:
http {
include mime.types;
default_type application/octet-stream;
server {
listen 8080;
server_name *.codebudo.com codebudo.com;
location /twitter {
proxy_pass http://search.twitter.com/;
proxy_redirect http://localhost:8080 http://search.twitter.com/;
}
}
}
This let’s us take any request to http://codebudo.com:8080/twitter/search.json?q=%23haiku and have it mimic the results you’d get from http://search.twitter.com/search.json?q=%23haiku. So, it’s a proxy. Not a big deal, but has some really useful applications.