Overview

Canvas integrates applications at the user interface level, through the Web browser. The typical scenario for an integrated user interface is mashing up Force.com data with data from an external system. In this scenario, the external system can maintain its own database and processes, but leverage Force.com data opportunistically from the currently logged-in user. The alternative is typically heavier-weight integration whereby the servers of the external application attempt to stay synchronized with data from Force.com.

The two most important features of the Canvas are authentication and cross-domain XMLHttpRequest (XHR). These are described in the following list:

Authentication—Authentication enables your external Web application to verify that it is truly hosted inside a Force.com organization, with an authenticated Force.com user at the helm. It does this in one of two ways: by allowing the Web user to OAuth to Force.com or via Signed Request. OAuth is no different from OAuth in other contexts. Signed Request is a method whereby the Force.com platform digitally signs a request to your application’s Web server. The request includes the identity and session information of the authenticated Force.com user. If the request is decrypted and the signature verified, you can trust that it originated from Force.com and can use the session to make subsequent requests to Force.com. Canvas Java SDK provides code for verifying data sent by the Signed Request authentication method.

Cross-domain XHR—Because your Web application is being served inside an IFRAME, it is subject to cross-domain scripting limitations enforced by the standard security policies of Web browsers. This means JavaScript in your Web pages cannot call out to servers other than the one serving the parent Web page. Because a common scenario with mashups is to include data from Force.com, Canvas JavaScript SDK provides API calls to proxy your requests back to Salesforce.