Using easyXDM (or any other client-side framework) for HTTP service availability tests (or response parsing in general) possible?

Question

I can't see from the docs how it should work. Debugging with Firebug did not help either. Maybe I would have to sit for some hours to understand it better.

The basic problem is, that I'd like to check the availability of various geo services (WFS,WMS). Due to the problem of XSS browser restrictions XmlHttpRequest did not work.

I guess the Socket interface is the proper one to use, since I am not able to implement some CORS scenarios because I have no influence on the external services.

Using the following code works fine and returns some requested data (Firefox popup for the downloaded XML response):

var socket = new easyXDM.Socket({
    remote: "http://path.to/provider/", // the path to the provider
    onReady:function(success) {
        alert(success);  // will not be called
    }
    onMessage:function(message, origin) {
        alert(message, origin);  // will not be called
    }
});

However I did not find a way (trying with the onReady and onMessage callbacks) to somehow get to some HTTP status object that I can process to determine which kind of response, e.g. 200, 404, I got.

Maybe it's the complete wrong way to solve this?

Answer 1

Sadly even my bounty did not help to get answers so I took a quick look around to gather some more infos on the issue myself... First...

the general problem of XSS

Looking at XSS and some related issues/links discusses more the problems than solutions (which is ok).

Looking at the related Firefox docs about the JavaScript same-origin policy it becomes clear that our global slogan Security over Freedom¹ is also applied in this area. (Personally I don't like this way of solving the problem and would have liked to see another way to solve these problems as described at the end of this answer.)

¹: nicely attributed by Benjamin Franklins (founder of the US) statement: He who sacrifices freedom for security deserves neither.

the CORS solution (=> external server dependencies)

The only supported standard/robust way seems to be to use the CORS (Cross Origin Resource Sharing) functionality. Basically that means the external server has to at least deliver some CORS-compliant info (HTTP Header Access-Control-Allow-Origin: *) to allow others (= the client browser) to request data/content/.... Which also means that if one does not have control over the external server there will be no general robust client-side/browser-way to do this at all :-(.

robust solution for server/client applications (if no external server control)

So if our external server does not support CORS or it is not configured to be usable by our requester origin (protocol/domain/port combination) it seems best to do this kind of access on our own applications server-side where we do not have these kinds of restrictions, but of course other implications.

client-side solution I would have liked to see

Some introduction first to understand the client-side world I experience browsing the web as a standard user ...

I personally do not like to be tracked when browsing the web nor do I like to be slowed down with poor hardware or network resources nor do I want to get exposed to simply avoided data security issues when browsing the web. That's why I am using Firefox with various useful plugins like RequestPolicy, AdBlock Plus, Ghostery, Cookie Monster, Flashblock ... . This already shows a complexity, no average user usually could/would handle. But especially looking at RequestPolicy it shows how access to external resources can be handled on the client-side.

So if e.g. Firefox (without these plugins) would support some functionality to show the user a dialog similar to RequestPolicy, that could state something like the following, we could loosen the one origin policy:

  [x] 'http://srcdomain.com' (this site)
  [ ] all sites  (select to block/allow for all sites)

would like to request some data from 

  [x] 'http://dstdomain.com'
  [x] 'http://dst2domain.com' 

in a generally considered UNSECURE way.

You can selected one of the following options about how to proceed with
access to the selected sites from the selected sites:

  [x] block always (generally recommended)
  [ ] block only for this session
  [ ] allow always (but not to subreferences)  [non-recursively]
  [ ] allow only for this session (but not to subreferences)  [non-recursively]
  [ ] allow always (and all subreferences)  [recursively]
  [ ] allow only for this session (and all subreferences)  [recursively]

Of course this should be fomulated as clear as possible to the average user which I certainly did not do here and may be handled also by a default in the settings like the other existing technologies (Cookie Handling, JavaScript Handling, ...) do it.

This way I could solve the problem I have without much hassle, because I could nicely handle the amount of user setup required for this in my situation.

answer regarding easyXdm

I guess since they recommend CORS as well and depend on the browsers this is the only robust way although some workarounds may still exist depending on browsers/versions/plugins like Flash and so on may exist.