Blog Post About Cross-Domain JSONP AJAX Requests/Forms in Lift

[Matt Farmer]

Hey folks,

Thought this might be of interest to people around here (or possibly someone looking to do it in the future), so I figured I'd share it here. Today I locked down authentication on one of my Lift apps. The landing page for our app has a login form on it, and I didn't want to SSL the entire site, so I made some tweaks to the client-side Lift AJAX code so that AJAX requests would use JSONP on the landing, enabling me to submit the login information via HTTPS, even if you were visiting our landing page on regular ole HTTP.

I thought the code that I produced out of it could be useful for other people using Lift, so I wrote a blog post about it, which can be found here:

http://farmdawgnation.com/blog/2013/3/3/cross-domain-ajax-requests-in-lift

Additionally, in the event this mailing list post outlives my blog for some reason, the source changes I made are available on GitHub here:

https://gist.github.com/farmdawgnation/5074718

Hopefully this'll help other people using Lift. Let me know if you have any recommendations for improvement to the technique. (And hat tip to Antonio for the idea of using a response transformer.)

Cheers,

Matt

[Diego Medina]

Thanks for sharing Matt!

One comment though, I normally don't like sites that ask for a
user/pass on an non-https url.
In this case, it isn't obvious to the user that the form is going to
be submitted through https, so user may 1- decide this site isn;t safe
so they will look somewhere else, 2- they will learn that it is ok to
submit user/pass info on a http site, which doesn't help the grater
good.

What's the reason for not having the page/site be https?

Thanks

Diego

> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you:
> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to liftweb+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--
Diego Medina
Lift/Scala Developer
di...@fmpwizard.com
http://fmpwizard.telegr.am

[Matt Farmer]

Primarily, it's so we can avoid the overhead of the SSL handshake and bandwidth for connections we don't care about. The public landing pages are the ones that are going to get slammed with traffic once we start advertising and promoting the product post launch, and we currently can't afford the cost that would be associated to CDN and cache the SSL-protected pages. So, I get the benefit of the free CacheFly caching for people who aren't interested in purchasing the product (or bots), and for the relatively small number who actually convert I am (in theory) getting some money from them. If it sounds like I'm concerned somewhat about processing power it's because I am. The entirety of the service is run from a 512MB Linode instance, which includes nginx, MongoDB, and Jetty.

Of course, the caching primarily applies to CSS and JavaScript for now. I'm debating an addition to Antonio's SBT resource management that will deploy images as well. That'll really help.

Once we're able to afford the CacheFly account to cache and CDN things over SSL (which I hope will be sooner rather than later), we'll probably take the entire product SSL only.

[Antonio Salazar Cardozo]

This is a specific and much much cleaner implementation of some prototyping I did a couple of years ago looking into the idea of doing comet in a widget embedded on another site via JSONP. The idea was the same as here—use a response transformer to convert regular comet responses (rather than the AJAX ones in question here) to JSONP responses. Interestingly enough, the response transformer is the same for both types of responses, since both just send back JavaScriptResponses, so doing one gets you the other for free.

In the comet case, however, we had to support executing commands on the calling page, which complicated things a bit.

This looks awesome!

Thanks,

Antonio

[Christian Thomas]

Hi,

I'm very interested to read your post, but sadly I will get No page found - 404 : (

I need to send some binary data inside a Json object ( JSONP ) as a parameter of a JE.Call ( JsCmd ). May be your article will help me...

Thanks 

Christian

[Richard Dallaway]

The link is now: https://farmdawgnation.com/2013/03/03/201333cross-domain-ajax-requests-in-lift/

--

[Matt Farmer]

Yeah, sorry about that. I moved my blog and haven't had the chance to go through and fix all the permalinks. I moved from Squarespace back to WordPress and they seriously screwed up my links. :(

--

Matt Farmer

You received this message because you are subscribed to a topic in the Google Groups "Lift" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/liftweb/IAPsD5qzIZ4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to liftweb+u...@googlegroups.com.

[Matt Farmer]

Just wanted to let you guys know that the original link should be working again. I tried to run a script against the new place I had put my block and got locked out of their firewall for suspicious activity. Decided just to move back to squarespace. ha.

[fmpwizard]

I know this is an old post and lots of things changed since 2013, but note that Chrome will start marking those fields/sites as insecure :

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html?m=1

Thanks

(This is just for those who may land on this thread by searching on this topic)

Diego