Custom Elements—Authorised Requests


Previously in our series on custom elements we saw how to communicate with a remote server that provides some services to our form. But what if the server should not be publicly available? Remember that the entire custom element code (including the server address and the service) is written in JavaScript, and the code is visible in the browser.

Before we can explain the solution to this problem, we need to explain the mechanism that makes sending requests to external servers possible. First of all, browser don’t allow AJAX requests that go beyond the domain from which the page was served. That is why an attempt to send a request manually to our service with an XMLHTTPRequest object would end in a security alert. To bypass this protection and enable custom element developers to integrate external services, ActiveForms offers a proxy mechanism for requests from custom elements.

When a sendRequest function is used in custom element code, the request is not sent directly to the specified URL. It is sent to the ActiveForms server, which acts as a proxy and forwards the request to the target server. Obviously, the response returns the same way. The request and response headers are transferred.

This solution allows us to modify the address where the request really goes on the ActiveForms server. The custom element can be configured so that a fixed string can be attached to specific requests sent from the element. In the custom element Properties select yes in External request suffix and specify:

  • What will be attached to the address.
  • What address it will be attached to (more specifically, how does the address begin).

From now on, all requests sent by the given custom element to an address that begins with the specified phrase will be complemented (by concatenation) by the specified string. In practice, you can write the following:

Request suffix: ?user=adam&pass=auFd832f
Beginning of the URL: https://myserver.com/products

Moreover, since a custom element usually sends requests of only one type, you can write:

Request suffix: myserver.com/products?user=adam&pass=auFd832f
Beginning of the URL: https://

That will hide the server address from the browser completely. The JavaScript code of the custom element will specify that the request should be sent to ‘https://’. The proxy on the ActiveForms server will add the complete server address to this URL.
If you want additional protection for the server against external requests, it is a good idea to cut off traffic from servers other than ActiveForms at the network layer level.

recent posts
3rd Apr 2014
Faster than ever!
5th Dec 2013
Live validation!
2nd Dec 2013
Features distilled
12th Mar 2012
Flicking Channels
26th Jan 2012
Your Own Error Page
9th May 2011
Box Properties
15th Apr 2011
Grouping Fields
13th Apr 2011
Form Versioning
24th Feb 2011
Form Access Modes
22nd Feb 2011
Required Fields
4th Feb 2011