Blog

Tutorial: Amazon.com Search API

Posted on

Cross-Domain Security

Cross-Domain Security

Figure 3

Cross-Domain Security

Since Amazon began offering it’s data as a web service, there has been one major obstacle to developers trying to implement it’s API – Cross-Domain Security.

Because web browsers simultaneously interact with many different internet addresses which allow access to different types of information, rules must exist to protect the data integrity and privacy of sensitive information (i.e. financial information, application code, etc.).

For most content, only interaction with content from the same domain is allowed. For example, a typical page on www.microsoft.com can freely script content on any other page on www.microsoft.com, but cannot script to pages that are located on a different Web domain.

The DHTML Object Model uses the document.domain property to enforce this restriction: only pages with identical domain properties are allowed free interaction. The protocol of the URL must also match. For instance, an HTTP page cannot access HTTPS content. The implications of these restrictions are discussed in more detail in Jason Levitt’s article[2] on XML.com excerpted below.

“But the kind of AJAX examples that you don’t see very often (are there any?) are ones that access third-party web services, such as those from Amazon, Yahoo, Google, and eBay. That’s because all the newest web browsers impose a significant security restriction on the use of XMLHttpRequest. That restriction is that you aren’t allowed to make XMLHttpRequests to any server except the server where your web page came from. So, if your AJAX application is in the page http://www.yourserver.com/junk.html, then any XMLHttpRequest that comes from that page can only make a request to a web service using the domain www.yourserver.com. Too bad — your application is on www.yourserver.com, but their web service is on webservices.amazon.com (for Amazon). The XMLHttpRequest will either fail or pop up warnings, depending on the browser you’re using.”

Jason Levitt
Fixing AJAX: XMLHttpRequest Considered Harmful

Since the Amazon data resides in a different domain from the browser application, we need a method whereby data can be passed across the two domains without violating the security restrictions. Luckily, the Amazon API has answered this puzzle with a combination of two elements of AJAX: JavaScript Object Notation (or JSON) and XSLT.