As is known, a web browser communicates with a server. The web browser may submit a request to a server for a webpage or other information or application. The server serves a response to the browser. Thus, in a basic webpage request/response arrangement, a browser sends a request to a web server and in exchange receives a webpage. Each new request results in a new webpage. The webpage can further include JavaScript. When using JavaScript, a new request may be made to the server. In this case, rather than a new webpage, new data is provided in response which data is presented in the same webpage, i.e., the content of the webpage may change, or in other words, the webpage is not reloaded on the user's system. These types of requests are commonly termed “AJAX” requests. AJAX requests may be to the original domain or to a separate domain through a proxy.
Unfortunately, information running on a webpage is generally open and available for others to see. Furthermore, due to JavaScript's security model, JavaScript in a webpage can only communicate with the same domain from which the webpage was originally retrieved. Thus, the webpage executing JavaScript cannot pull information from other webpages or remote servers directly or separate from the original server that is associated with the website.
To request information from a remote server, a request must be made through proxy. In a typical “Web 2.0” application use, JavaScript running in the user's browser may access information from a remote second web application or server. These AJAX requests occur through a proxy in the original application server which communicates with the remote server. In other words, JavaScript communicates a request to the original server which has a proxy therein. The original server, via proxy, passes the request on to an external or remote server and may subsequently pass the response back from the remote server to JavaScript running in the webpage. Thus, the proxy may send information to other websites or servers to pull information from those other webpages. Restrictions are often placed upon proxies limiting the servers to which they may communicate, so as to avoid or reduce the risk of illegal or unauthorized behavior.
Trusted relationships are important to the operating environment described. A trusted relationship exists between the client (i.e., the browser with the webpage running JavaScript) and the original server. As a result of this relationship, the client and original server can share session information. A trusted relationship also exists between servers. Thus, two servers can share private information as well. However, a trusted relationship does not exist between the browser and the remote server. As a result, a remote server cannot trust raw information passed from the browser, even if it passes through the proxy.
Due to the lack of trust, this arrangement does not allow for the original application to retrieve personal information from the remote application or server. Furthermore, the identifying information cannot come from JavaScript creating the request, because this information can be easily viewed and/or altered. Moreover, JavaScript includes a security model which permits it to only make a request back to its original domain. In most general terms, JavaScript cannot talk to other, remote servers to obtain information.
Accordingly, a mechanism and method for allowing an application proxy to dynamically insert trusted information into a request to a remote server in order to safely retrieve protected or sensitive information requested by a client is provided. Additionally, a system to prove the identity of the client to a remote server or to establish a trusted relationship between client, original and remote servers is provided.