tags:

views:

246

answers:

4
+2  Q: 

Can one use Ajax on Google App Engine as a logged in user over https from a non-appspot.com domain?

Suppose:

  1. You have a website http://www.example.com that redirects to a project on Google App Engine (i.e. example.appspot.com);
  2. you want communications to pass between the user over SSL (i.e. https://example.appspot.com); and
  3. You want the domain to be shown to the user to be *://www.example.com (i.e. not https://example.appspot.com).

Given that Google's Appspot HTTPS support only works for https://example.appspot.com (i.e. you cannot set up https://www.example.com with GAE), I'd like to have an Ajax solution, namely:

  1. http://www.example.com serves HTML and Javascript over http
  2. Ajax requests go over SSL to https://example.appspot.com

My question/concern is: How does one ensure that the users logged into http://www.example.com (by way of Google's users API) pass their authentication credentials over Ajax to https://example.appspot.com?

This seems to be a violation of the same origin policy (which may or may not be a concern for the Google Users API), so how would one know what user is logged in to example.com for the Ajax requests to example.appspot.com?

Thoughts, comments and input is quite appreciated.

Thank you.

Brian

+2  A: 

There are ways to work around same-origin when both sites cooperate, e.g. see this post, but only trial-and-error will reveal which techniques do work for your specific requirements (it may depend on how strictly the user has set security safeguards in their browser, as well as on server-side implementations).

Alex Martelli  2009-08-06 18:03:32
+1  A: 

Wouldn't it be far simpler to use frames? Serve up a single full-size frameset from yourdomain.com containing content from https://yourapp.appspot.com/.

Note, though, that either solution has the problem that users see an unsecured site, not a secured one.

Nick Johnson  2009-08-07 07:43:52
Aye - Server Name Indication - http://en.wikipedia.org/wiki/Server_Name_Indication - might be the real answer.
Brian M. Hunt  2009-08-07 12:46:39
+2  A: 

You can try using JSONP to get around the around that. However JSONP doesnt have very good error recovery like JSON does when doing XHR calls.

AutomatedTester  2009-08-07 07:45:17
+1  A: 

example.appspot.com does not share any cookies with example.com - it will be impossible for you to identify the user without making them sign-in on example.appspot.com as well.

you could, of course, completely ditch Google Authentication on example.appspot.com and implement your own scheme; you could append a signature and the username to the AJAX requests you create and verify that signature on your app-engine app. if the signature is valid, just accept the user that was passed in as the authenticated user and pretend he logged in.

Patrick  2009-08-10 07:53:32

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript