Archive for October, 2006

h1

Secure Ajax Mashups by Design

Monday, October 30th, 2006

As I said in my last post, the current browsers were not designed with mashups in mind. The current methods in use to make mashups work result in either overly restrictive or overly permissive security issues.

Take XMLHttpRequest – calls are limited to the server where the current page originated. Can’t mash up without proxying through the server. Doesn’t scale well.

Take iframes – you can embed a page from another site, but due to Javascript same-domain restrictions, you cannot communicate with that page without some quite obtuse hackery on which you’d like to avoid relying.

Take the script tag – you can execute code from another site, however you have no opportunity whatsoever to inspect it for security before it gets executed, meaning there must be a lot of trust in the other end of the transaction and no hope of avoiding man-in-the-middle attacks. Using script tag methods, cross-site cookie access can cause privacy issues. Insecure, undesirable.

What we need is browser features that were designed with mashups in mind. We need them to be added to the browsers without having to wait until IE8 and Firefox 3 (…Safari 3, Opera 10, etc).

Douglas Crockford has a set of proposals that begin to give us an answer to this dilemma. He proposes:

  • JSON – a lightweight data-interchange format
  • JSONRequest – a Javascript object designed to exchange JSON-formatted data flexibly, efficiently and securely
  • the <module> tag – an addition to HTML to create secure zones from multiple sites on a single page with controlled communication between them

JSON support is already on the way to being built into Javascript.

The main browser vendors are aware of JSONRequest and have begun talking about it together.

Douglas only recently proposed the module tag, and we as developers need to help the browser vendors to understand that we want to build secure mashups, so we want them to discuss amongs themselves and with ECMA and W3C how this proposal or any other will help us to do that.

Do your part to get involved with organizations like the OpenAjax Alliance to promote advances like the ones Douglas proposes.

h1

Quite the Experience

Sunday, October 29th, 2006

I’m just starting to settle back in after getting back from last week’s Ajax Experience show in Boston. It was a great conference, with superb speakers, fantastic swag, and lots of really interested and interesting attendees. I was extremely pleased that my friends Pete Forde and Joey deVilla came along not only as attendees but to participate wholeheartedly at every turn. Toronto’s vibrant tech community was well represented by our collective presence.

When I attend these shows, one of my main objectives is to seek out people in influential positions who can work together to effect advances in the state of the art and to put them in front of each other in the hopes that some strides can be taken in a fruitful direction. I was really pleased to have had some success in doing that this past week. It’s not that these things wouldn’t happen without my being a meddling matchmaker, but I like to think that as an independent without ulterior motives I can help to accelerate the relationship building process.

One of the biggest challenges in the Ajax world is that the whole “data channel back to the server” piece doesn’t support mashups well. The solutions that support cross-domain access do so in limited or insecure ways, and the solutions that can be made secure or that afford superior control lack cross-domain access. The parts of the browser that we have used to perform these tasks were designed either for entirely different purposes or for subsets of what we now want to do.

Douglas Crockford is well known in Javascript circles. He has an uncanny ability to distill complex concepts and, using a remarkable economy of expression, present them in such a way as to be simple to understand.

In his first talk at the show, Douglas offered a series of proposals that together would enable developers to build mashed-up applications that are secure and robust. The key would be to get the browser manufacturers to implement support for JSON, create a new JSONRequest object, and introduce a new <module> tag (see Doug’s module proposal: it would provide compartmentalization of secure zones from multiple sites on a single page with controlled communication between them).

Even if Douglas’s proposals don’t end up being the solution to these problems that is implemented , I believe that he has provided the most comprehensive place to begin discussions towards fixing up the browser to be a place that was purposefully designed for mashups.

My small part in helping to kick this into gear was to get some of the players involved to socialize and begin to discuss common goals in these mashup issues.

I found myself talking on Tuesday afternoon to Sunava Dutta, the program manager on the IE7 team responsible for the native XMLHttpRequest object. I invited him to have dinner at our table and also got Brendan Eich (Mozilla Foundation) and Douglas Crockford to join us. Nothing of import came directly from any dinner discussion, but hopefully the seeds are sown for some great interaction.

As Douglas observed on the expert panel later that evening, the web development industry has been turned on its head in comparison to the early years. Whereas originally the browser makers drove the browser feature set and imposed it on the public, the web development community is now ahead of the browser providers in demanding features to support innovation. Our collective voices can influence them to improve the browsers to suit our needs.

I’m really looking forward to the next Ajax Experience (which should be in San Francisco in April I understand) to see how far along these initiatives have come. Ben Galbraith and Dion Almaer from Ajaxian and Jay Zimmerman of NoFluffJustStuff all deserve accolades for making this show perhaps the most important venue of the current web lifecycle by attracting both the elements and the catalysts necessary to build the brightest future for web applications.

h1

The Ajax Experience Boston Edition 2006

Saturday, October 21st, 2006

I’m off to The Ajax Experience Boston Edition 2006 tomorrow. It starts Monday morning at the Westin Boston Waterfront.

This show is the event of the season and I’m looking forward to seeing everyone. It’s not just the sessions, it’s also the opportunity to meet top people in the biz – fellow Torontonians Joey deVilla and Pete Forde will be but two of the world class developer folks in attendance.

My presentation will be right near the end of the show on Wednesday at 11:00am in Grand Ballroom C. After lunch we’ll be hearing Brendan Eich‘s keynote speech about Firefox 2 (likely covering some of Javascript 1.7′s new features) just before the wrap-up ceremony.

I’ll be participating throughout the whole show on panels and in discussions, so by all means track me down and say hello.

h1

Classic UI Design Fault

Tuesday, October 17th, 2006

Via fellow Canadian Tech Mobster Bil Simser, I discover EgoSurf, a frivolous site that comes up with a number based on inbound links to your blog from elsewhere on the web and then presents a gauge to boost your ego and a pejorative listing in their recent searches on the main page to tell everyone you’re a putz.

While it’s a clean-looking Web-Me-Too-Dot-Oh interface, they fall prey to one of the most egregiously boneheaded UI design faults I’ve ever seen. If you enter your web address with the http:// protocol, the app recognizes that you have done so and refuses to submit, displaying in red the following message:

Please don’t include the http:// in domains

…at which point, you are forced to manually navigate by tab or click back to the URL entry box and correct the entry yourself by removing http:// and then resubmit.

There’s absolutely no excuse for such stupidity. This isn’t a bank transaction. The program has already determined what’s wrong with the input. Fix it and accept it.