Secure Ajax Mashups by Design
Monday, October 30th, 2006
As I said in my last post, the current browsers were not designed with mashups in mind. The current methods in use to make mashups work result in either overly restrictive or overly permissive security issues.
Take XMLHttpRequest – calls are limited to the server where the current page originated. Can’t mash up without proxying through the server. Doesn’t scale well.
Take iframes – you can embed a page from another site, but due to Javascript same-domain restrictions, you cannot communicate with that page without some quite obtuse hackery on which you’d like to avoid relying.
Take the script tag – you can execute code from another site, however you have no opportunity whatsoever to inspect it for security before it gets executed, meaning there must be a lot of trust in the other end of the transaction and no hope of avoiding man-in-the-middle attacks. Using script tag methods, cross-site cookie access can cause privacy issues. Insecure, undesirable.
What we need is browser features that were designed with mashups in mind. We need them to be added to the browsers without having to wait until IE8 and Firefox 3 (…Safari 3, Opera 10, etc).
Douglas Crockford has a set of proposals that begin to give us an answer to this dilemma. He proposes:
- JSON – a lightweight data-interchange format
- JSONRequest – a Javascript object designed to exchange JSON-formatted data flexibly, efficiently and securely
- the <module> tag – an addition to HTML to create secure zones from multiple sites on a single page with controlled communication between them
JSON support is already on the way to being built into Javascript.
The main browser vendors are aware of JSONRequest and have begun talking about it together.
Douglas only recently proposed the module tag, and we as developers need to help the browser vendors to understand that we want to build secure mashups, so we want them to discuss amongs themselves and with ECMA and W3C how this proposal or any other will help us to do that.
Do your part to get involved with organizations like the OpenAjax Alliance to promote advances like the ones Douglas proposes.
As I said in my last post, the current browsers were not designed with mashups in mind. The current methods in use to make mashups work result in either overly restrictive or overly permissive security issues.
Take XMLHttpRequest – calls are limited to the server where the current page originated. Can’t mash up without proxying through the server. Doesn’t scale well.
Take iframes – you can embed a page from another site, but due to Javascript same-domain restrictions, you cannot communicate with that page without some quite obtuse hackery on which you’d like to avoid relying.
Take the script tag – you can execute code from another site, however you have no opportunity whatsoever to inspect it for security before it gets executed, meaning there must be a lot of trust in the other end of the transaction and no hope of avoiding man-in-the-middle attacks. Using script tag methods, cross-site cookie access can cause privacy issues. Insecure, undesirable.
What we need is browser features that were designed with mashups in mind. We need them to be added to the browsers without having to wait until IE8 and Firefox 3 (…Safari 3, Opera 10, etc).
Douglas Crockford has a set of proposals that begin to give us an answer to this dilemma. He proposes:
- JSON – a lightweight data-interchange format
- JSONRequest – a Javascript object designed to exchange JSON-formatted data flexibly, efficiently and securely
- the <module> tag – an addition to HTML to create secure zones from multiple sites on a single page with controlled communication between them
JSON support is already on the way to being built into Javascript.
The main browser vendors are aware of JSONRequest and have begun talking about it together.
Douglas only recently proposed the module tag, and we as developers need to help the browser vendors to understand that we want to build secure mashups, so we want them to discuss amongs themselves and with ECMA and W3C how this proposal or any other will help us to do that.
Do your part to get involved with organizations like the OpenAjax Alliance to promote advances like the ones Douglas proposes.