Hello, please sign in or register
You are here: Home

A Proxy for Windows Live REST'ful interface in PHP

This article is an introduction to writing a proxy on your website to by-pass XSS browser restrictions.
Here i'm taking advantage of the REST'ful interface of Windows Live. This does make coding pretty cool as you can tap into their JSON strutured ODATA. GET POST PUT and DELETE contents right from the browser with  little javascript. Check it out at http://rex.dev.live.com)


Its all about using your own tools for the job ...
$.getJSON('./proxy.php?path=Contacts/AllContacts', function(json){console.log(json)});
I'm using JQuery to access proxy.php which relays requests to http://apis.live.net/. My proxy.php script is also deciphering the path (Windows Live RESTful service to reduce the ammount of browser->proxy server requests.


My proxy script is included below. I've written it in a way which passes on errors and does not require any additional libraries ... not even the ominpresent cURL library. It supports all kind of request verbs (i.e. GET,POST,PUT,DELETE). Which may be overwritten via querystring e.g. &method=verb - to be compatible with browsers with limited XHR features. 

* PHP Proxy, resolves XSS security controls.
* Communicate with remote resources.
* @param path (required)
* @param method (optional)
* E.g. "proxy.php?method=GET&path=Contacts/AllContacts"
* @author Andrew Dodson
if( isset( $_GET['path'] ) ){

$path = $_GET['path'];
$opts = array(
'http'=> array(
// 'proxy' => 'tcp://',
'ignore_errors' => true,
'method'=> 'GET',
'header'=>"Content-Type: application/json\r\nAuthorization: WRAP access_token=" . $_COOKIE['accessToken'] . "\r\nAccept: application/json\r\n"
$a = ( preg_match("#^https?:\/\/#",$path)
? array($path)
: array('http://apis.live.net/v4.0/') + explode('/', '/'.trim($path, '/') ) );

foreach( $a as $path ){
// If this is the last request
$opts['http']['content'] = file_get_contents("php://input"); // payload
$opts['http']['method'] = (!empty($_GET['method'])?$_GET['method']:$_SERVER['REQUEST_METHOD']); // e.g. GET,POST,PUT
// do we need to define the path?
$json = (array)json_decode($resp);
$path = $json[$path.'Link'];
if(!preg_match('#^https?:\/\/#', $path))
$path = $json['BaseUri'] . $path;
// Make the request
if (!$fp = fopen($path, 'r',false, stream_context_create($opts))) {
$resp = stream_get_contents($fp);
$meta = stream_get_meta_data($fp);
foreach( $meta['wrapper_data'] as $o) header($o);
print $resp;

CSRF - Cross site request forgery

Proxies, by definition, can make a multitude of HTTP requests. This makes them good entry points for malicious scripts running on other websites. Especially if you can defined the verb like the example above can.

The best ways to prevent unscrupulous websites from attacking your users account is to...

  • Require authentication in GET and POST parameters, not only cookies;
  • Check the HTTP Referer header;

Ommitted from the script above - because when accessing the proxy directly, as one would do in development, there are no request headers.

if( parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST ) !== $_SERVER['HTTP_HOST'] ) ){
      // CSFR in progress, get me out of here!


s ralph lauren outlet Ray Ban Sunglasses,Ray Ban Outlet,Ray Ban Sale,Cheap Ray Bans,Cheap Ray Ban Sunglasses,ray ban sunglasses outlet,ray ban,rayb...
Created 21/10/15
“I canada goose outlet think it doesn’t swarovski jewelry bode very
Created 21/01/16
The michael--kors.org.uk next ralph lauren outlet day patriots jersey Mrs
Created 01/03/16
Tyrion 5c cases watched her ray ban sunglasses read. His timber...
Created 18/04/16
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
ninest123 One canada goose pas cher gucci outlet thing
Created 21/07/16
The oakley sunglasses cheap wreck, cheap nfl jerseys even replic...
Created 14/11/16
hxy1220 ray ban wayfarer rolex watches,rolex watches,swiss watches,watches for men,watches for women,omega watches,replica ...
Created 20/12/16
hxy1.22 ugg outlet burberry outlet louis vuitton
Created 22/01/17
valentino shoes air max 90
Created 08/03/17
, Air Jordan Retro This Nike Factory became
Created 07/04/17
air jordan retro coach outlet online coach outlet...
Created 21/08/17

Prove you are not a robot

To prove you are not a robot, please type in the six character code you see in the picture below
Security confirmation codeI can't see this!
Email never shown*
Home Page


Andrew Dodson
Since:Feb 2007

Comment | flag


Bookmark and Share