+ Start a Discussion

Apex Callouts vs. AJAX calls to external RESTFul service

We are developing a hybrid managed package that would allow the user to upload documents to a third-party document management system.
The other system exposes a RESTFul API that can be invoked from the end user's browser via AJAX. The proposed design is to use plain AJAX POST (based on XmlHttpRequest) for uploading documents through the API directly. Since the AJAX communication is completely between the  browser client and the third-party API, we are concerned that this design may not pass Application Security review. We need expert opinion on the feasibility of this approach. There are 2 alternate approaches:
a) Use an iFrame on the Upload Visualforce page that would allow the user to push the file directly to a Web page hosted on the third party system. With this approach, we would need to update file upload status on the Salesforce.com org using Force.com API from the other system.
b) Build a Visualforce page whose controller would invoke the third-party API as a callout. We will hit the heap size governor limit of 6 MB and callout payload size limit of 3 MB. This approach is very limiting and would not work for large files.