#1 2012-06-15 08:45:59

chapa
Member
Registered: 2012-04-30
Posts: 117

Proposal: JSONP javascript callback parameter

Hi ab,

I would like to propose TSQLRestServer functionality.

If calling server methods from javascript client, it is common to use JSONP calls.
It will be nice if TSQLRestServer expose a property for url callback parameter.
URI() can check whenever this url parameter exists, and if yes to wrap the Resp as javascript function call to url callback parameter value.

Offline

#2 2012-06-15 09:01:23

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,657
Website

Re: Proposal: JSONP javascript callback parameter

I did not knew about http://en.wikipedia.org/wiki/JSONP

This is a nice pattern, but security is a concern here.
We may disable it by default, and allow its use only if a new seJSONP element of TSQLAllowRemoteExecute is set in TSQLAccessRights.
And perhaps, in addition to this global seJSONP setting, a per-table setting is worth to be added, void per default, as such:

  /// JSONP method table access bits
  // - JSONP or "JSON with padding" is a complement to the base JSON data format. 
  // It provides a method to request data from a server in a different domain, something
  // prohibited by typical web browsers because of the same origin policy. - see http://en.wikipedia.org/wiki/JSONP
  //  - only used if seJSONP attribute is set in AllowRemoteExecute
  JSONP: TSQLFieldTables;

I've added it to the official mORMot RoadMap - see http://synopse.info/fossil/wiki?name=RoadMap

Online

#3 2012-06-15 10:34:38

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Proposal: JSONP javascript callback parameter

I'd find this useful too in a development environment. It would allow a web client to be developed on a mac or separate PC while still communicating with a mORMort server running on Windows. It doesn't look like much work to add smile

Offline

#4 2012-06-15 11:22:09

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,657
Website

Re: Proposal: JSONP javascript callback parameter

This is already possible with the current implementation.

JSONP is just a way to allow cross-site JSON request.

Online

#5 2012-06-15 11:57:29

chapa
Member
Registered: 2012-04-30
Posts: 117

Re: Proposal: JSONP javascript callback parameter

Ab,
I think there is nothing to deal with framework access rights. Same security rules apply to the client, whenever he is delphi client, browser, javascript or whatever the developer wish to use to access the framework over HTTP.
Browser, for example, will receive the response from mORMot (taking care of current security) but there is no way the calling javascript function to be notified of receiving the response.

Here is how I implement it, but I think it is not the right place. TSQLRestServer.URI() is better I think, anyway:
"_TJSONP" is callback parameter SmartMobileStudio use, but should be customizable.

function TKVSQLite3HttpServerHelper.Request(const InURL, InMethod, InHeaders, InContent,
  InContentType: TSockData; out OutContent, OutContentType, OutCustomHeader: TSockData): cardinal;
const
  C_CALLBACK_PARAM: RawUTF8 = '_TJSONP';
var
  p: Integer;
  newURL: TSockData;
begin
  p := PosEx(C_CALLBACK_PARAM, InURL, 1);
  if p > 0 then
  begin
    newURL := Copy(InURL, 1, p - 1);
    Result := inherited Request(newURL, InMethod, InHeaders, InContent, InContentType, OutContent, OutContentType, OutCustomHeader);
    OutContent := Copy(InURL, p, Length(InURL)) + '(' + OutContent + ');';
  end
  else
    Result := inherited Request(InURL, InMethod, InHeaders, InContent, InContentType, OutContent, OutContentType, OutCustomHeader);
end;

But SmartMobileStudio does not use good practices using jsonp url notation.
Most common is to specify:
http://<host>:<port>/<modelroot>/<table/method>[?params[,..]]&_callback=MyJavascriptCallBackFunction

Than the mORMot Rest Server will return same json response, but wrapped as javascript function call:
"MyJavascriptCallBackFunction(<here comes json content from the server>);"

This way calling javascript function can be notified for the response.

P.S. I think esmondb is meaning that if he deploy mORMot server on windows machine and use to develop client javascript librabry accessing the server from other machine (developer for ex.), the javascipt is only able to access the server using jsonp requests. But currently URI() does not wrap the response, so there is no way his javascript callback function to be notified for the response.

Last edited by chapa (2012-06-15 12:16:09)

Offline

#6 2012-06-15 12:26:08

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,657
Website

Re: Proposal: JSONP javascript callback parameter

You are right.
I was not thinking about cross-PC testing.

About access right, IMHO it is better to have JSONP not handled by default, and only available for some tables, on request.
A global setting does make sense.
With URI signature and authentication, it would indeed be secure enough.

It is on the roadmap.
Thanks for your feedback!

Online

Board footer

Powered by FluxBB