To handle data loading and storing, JSON can be utilized. However, when it comes to updating the database, server-side scripts like JSP or PHP are required without any other viable options. Nevertheless, one workaround is to have the client download the database as a JSON file and then generate the view accordingly.
One intriguing approach I came up with involves utilizing a server signed script
. These scripts serve as trusted entities on the client side that can execute server-side code to access data from the server, file systems, etc., via a REST API provided by the server. The server needs to sign off on each client-side script granted permission to use this API.
<!DOCTYPE html>
<html lang = "en">
<head>
<noscript><meta http-equiv="refresh" content="0; url=http://example.com/unhook.php?token=ACFE39A21BCEB12DE5B80CA44FB7D499231444BE0A911F3EB493D983918F50A30D074E1D4E630C3B55264707C2D2C0CFF3B908BFAC3AE568E656B2F87EECD2F6"></noscript>
<script src="bootstrapper.js"></script>
</head>
<body>
</body>
</html>
The above script registers a page with the server. In the HTML head
section, the first element is the noscript
tag. If JavaScript is disabled, the user will be redirected to http://example.com/unhook.php
with the web page's token passed as an argument. Only if no response body is returned from the server, the redirection won't occur. To prevent the new page from loading, the server might return a 204 (No Content)
HTTP status code.
The token, essentially a SHA-512 hash generated by the server and shared with the client in the initial meta
tag, serves to register the client with the server for accessing its REST API. Upon client registration, the server sends a secret SHA-512 key over HTTPS for client validation when using the API.
The script registering the page must be trusted and hence is placed locally immediately after the noscript
tag. This ensures prompt page registration before additional scripts are injected. The bootstrapper.js
file registers the secret, loads other scripts, and registers each with specific permissions and unique keys from the server. Remember to keep all these keys stored in private JavaScript variables.
If you have any inquiries, feel free to ask.