Scripts that run client-side that can communicate with the outside world (via HTTP requests) will always be limited - there’s no way of the destination HTTP server to know exactly where the communication came from.
This limits the ability to offer personalised services.
A function exists in the JScript VM for the interface, which when called will communicate with the Domain Stack to say “%User wishes to perform HTTP query to %Destination.”, and then the Domain stack carrying out this function, embedding the User’s ID (Logging in username as a UID), and the current domain of the user in the header so that the PHP can do whatever it needs to do knowing that it’s defintiely the user.
This also provides a level of security for the user’s IP address as queries sent from the Domain Stack will not contain the user’s IP address – this also adds another possibility of authentication because the PHP server can check to ensure the IP address is from a certain IP address which is known to be the domain server.
Then after performing the query, the domain server simply passes the response information back to the user.
Idea for a Security Solution
- Client-side script executes a HTTP query to a php server using the system proposed above.
- Domain server checks to see if user exists within the domain before sending.
- Domain server then sends a request to the destination server with the User and Domain embedded in the header.
- PHP back-end receives the request and then uses an API (Another proposal) to also verify the user exists within that domain, and that the domain IP address matches the source of the request.
- PHP back-end can now be pretty sure that the communication is secure, rather than someone doing a manual HTTP request client-side, manually creating the header to bypass security measures.
Update: Added to worklist: https://worklist.net/20717