V 3.0.5 Problem

[ooper]

Hey,

 

I need to use absolute URLs for the dataURL parameter.

 

 

 

Here is my situation:

 

I have multiple web server machines that service XML requests. A client does not know which server he is talking to when he makes a web service call. He just sends the request to http://www.mycompany.com/webService and our load balancer sends the request to one of the servers.

 

 

 

The XML responses is then sent back to the client. Part of the XML response has the object tag for the flash chart with the dataURL parameter in it. This has to be an absolute URL, since the xml data file is only sitting on one of the multiple servers we have. A subsequent call to a relative URL to get the data file may not get routed to the same server through the load balancer.

 

 

 

If you can think of a way to resolve this, please advise, otherwise I am forced to remain on the older version until there is an option to use absolute URLs.

 

 

 

I don't want to use the dataXML option because of the limitations described in the documentation.

 

Requiring sessions with our clients is not a solution. The web services must remain stateless.

 

 

 

Please add an option to allow for absolute URLs. By the way, what is the security risk?

 

 

 

Thanks,

 

Brian Barnett

[Pallav]

Hi Brian,

 

 

 

We had to take this decision to disallow absolute URLs in FusionCharts, owing to an XSS attack vunlerability. In this, a malicious user could host a phishing website and then call FusionCharts SWFs from a valid website (over HTTP). Thereafter, as the dataURL of the same, he could pass some script or absolute URLs to other "evil" scripts which could get him access to cookies of the valid domain.

 

 

 

A way to overcome absolute URL problem would be to host a relative proxy file like Relayer.aspx, which in turn could fetch the data from remote page and pass it to the chart.

[ooper]

So each of our web servers would have a Relayer.aspx, or Relayer.jsp in our case. Can you provide some pseudo code for what this file would do?

 

 

 

Also, what would the dataURL look like in the object tag? It would point to Relayer.jsp??

 

 

 

Like this?

 

... value="&dataURL=/Relayer.jsp"

[augustd]

I am also having this same problem and the new XSS protection is breaking our live production site.

 

 

 

Is there any way to disable this "feature" until we are able to create a workaround?

[acrolite]

I'm in the same situation and would love to see an example of what the relay page does. Thanks.

[FusionCharts Support]

Hi,

Could you try this relay PHP code?

<?php

$xmlDoc = new DOMDocument();

$xmlDoc->load("http://www.fusioncharts.com/Gallery/Data/Col3D1.xml");

header('Content-type: text/xml');

echo $xmlDoc->saveXML();

?>

The code loads an XML from another domain with absolute path and prints the XML. Hence, it work as a relayer.

[FusionCharts Support]

Hi,

We also have some relyer code for ASP :

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>

<%

  Dim xmlhttp

  Set xmlhttp = Server.CreateObject("Microsoft.XMLHTTP")

  xmlhttp.Open "GET", "http://www.fusioncharts.com/Gallery/Data/Col3D1.xml", false

  xmlhttp.Send

  response.ContentType="text/xml"

  response.write(xmlhttp.ResponseText)

%>

Hope ASP.NET VB/C# would be easier.

[FusionCharts Support]

Hi,

You can use this code to relay XML using ASP.NET :

C#.NET CODE ASP.NET 2.0

<%@ Page Language="C#" %>

<

script runat="server">

  protected void Page_Load(object sender, EventArgs e)

  {

  System.Xml.

XmlDocument xmlDoc=new System.Xml.XmlDocument();

  xmlDoc.Load(

"http://www.fusioncharts.com/Gallery/Data/Col3D1.xml");

  Response.ContentType =

"text/xml";

  Response.Write(xmlDoc.OuterXml);

  }

</

script>

 

VB.NET CODE ASP.NET 2.0

<%

@ Page Language="VB" %>

<

script runat="server">

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

  Dim xmlDoc As New System.Xml.XmlDocument

  xmlDoc.Load(

"http://www.fusioncharts.com/Gallery/Data/Col3D1.xml")

  Response.ContentType =

"text/xml"

  Response.Write(xmlDoc.OuterXml)

  End Sub

</

script>

[acrolite]

Very cool. Thanks for the examples!

[clikthrough]

I have a different problem but is very similar...<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

For speed benefits I have loaded the fusionCharts swfs onto our CDN (think akamai, limelight, etc) [ex url cdn.mydomain.com].  Assuming that our CDN only serves static files i can't put the relayer (proxy) code on that subdomain.

How can I place the swf on a subdomain that does NOT have the ability to run code? (jsp, asp, php, none)

currently the code that is generating the dataXML is located on www.mydomain.com?  But both are in the same parent domain [mydomain.com], and I've loaded the crossdamain.xml into my web server so that the flash [loaded from cdn.mydomain.com] can make requests from the webpage to my server.

fusionCharts is blocking a subdomain request that even adobe flash is allowing (once configured/allowed)

[Rahul Kumar]

Hi,

I am afraid, you might be using absolute url for the XML path. e.g. "http://www.cdn.mydomain.com/x.xml" . This is blocked by FusionCharts to prevent XSS attacks.

 

Could you please let us know, whether you can use JavaScript (DHTML) in the page? In that case you can use XMLHTTP object from JavaScript to get the XML and update the chart using setDataXML() function.

Edited July 31, 2008 by Guest