h1

Secure Ajax Mashups by Design

October 30th, 2006

As I said in my last post, the current browsers were not designed with mashups in mind. The current methods in use to make mashups work result in either overly restrictive or overly permissive security issues.

Take XMLHttpRequest – calls are limited to the server where the current page originated. Can’t mash up without proxying through the server. Doesn’t scale well.

Take iframes – you can embed a page from another site, but due to Javascript same-domain restrictions, you cannot communicate with that page without some quite obtuse hackery on which you’d like to avoid relying.

Take the script tag – you can execute code from another site, however you have no opportunity whatsoever to inspect it for security before it gets executed, meaning there must be a lot of trust in the other end of the transaction and no hope of avoiding man-in-the-middle attacks. Using script tag methods, cross-site cookie access can cause privacy issues. Insecure, undesirable.

What we need is browser features that were designed with mashups in mind. We need them to be added to the browsers without having to wait until IE8 and Firefox 3 (…Safari 3, Opera 10, etc).

Douglas Crockford has a set of proposals that begin to give us an answer to this dilemma. He proposes:

  • JSON – a lightweight data-interchange format
  • JSONRequest – a Javascript object designed to exchange JSON-formatted data flexibly, efficiently and securely
  • the <module> tag – an addition to HTML to create secure zones from multiple sites on a single page with controlled communication between them

JSON support is already on the way to being built into Javascript.

The main browser vendors are aware of JSONRequest and have begun talking about it together.

Douglas only recently proposed the module tag, and we as developers need to help the browser vendors to understand that we want to build secure mashups, so we want them to discuss amongs themselves and with ECMA and W3C how this proposal or any other will help us to do that.

Do your part to get involved with organizations like the OpenAjax Alliance to promote advances like the ones Douglas proposes.

h1

Quite the Experience

October 29th, 2006

I’m just starting to settle back in after getting back from last week’s Ajax Experience show in Boston. It was a great conference, with superb speakers, fantastic swag, and lots of really interested and interesting attendees. I was extremely pleased that my friends Pete Forde and Joey deVilla came along not only as attendees but to participate wholeheartedly at every turn. Toronto’s vibrant tech community was well represented by our collective presence.

When I attend these shows, one of my main objectives is to seek out people in influential positions who can work together to effect advances in the state of the art and to put them in front of each other in the hopes that some strides can be taken in a fruitful direction. I was really pleased to have had some success in doing that this past week. It’s not that these things wouldn’t happen without my being a meddling matchmaker, but I like to think that as an independent without ulterior motives I can help to accelerate the relationship building process.

One of the biggest challenges in the Ajax world is that the whole “data channel back to the server” piece doesn’t support mashups well. The solutions that support cross-domain access do so in limited or insecure ways, and the solutions that can be made secure or that afford superior control lack cross-domain access. The parts of the browser that we have used to perform these tasks were designed either for entirely different purposes or for subsets of what we now want to do.

Douglas Crockford is well known in Javascript circles. He has an uncanny ability to distill complex concepts and, using a remarkable economy of expression, present them in such a way as to be simple to understand.

In his first talk at the show, Douglas offered a series of proposals that together would enable developers to build mashed-up applications that are secure and robust. The key would be to get the browser manufacturers to implement support for JSON, create a new JSONRequest object, and introduce a new <module> tag (see Doug’s module proposal: it would provide compartmentalization of secure zones from multiple sites on a single page with controlled communication between them).

Even if Douglas’s proposals don’t end up being the solution to these problems that is implemented , I believe that he has provided the most comprehensive place to begin discussions towards fixing up the browser to be a place that was purposefully designed for mashups.

My small part in helping to kick this into gear was to get some of the players involved to socialize and begin to discuss common goals in these mashup issues.

I found myself talking on Tuesday afternoon to Sunava Dutta, the program manager on the IE7 team responsible for the native XMLHttpRequest object. I invited him to have dinner at our table and also got Brendan Eich (Mozilla Foundation) and Douglas Crockford to join us. Nothing of import came directly from any dinner discussion, but hopefully the seeds are sown for some great interaction.

As Douglas observed on the expert panel later that evening, the web development industry has been turned on its head in comparison to the early years. Whereas originally the browser makers drove the browser feature set and imposed it on the public, the web development community is now ahead of the browser providers in demanding features to support innovation. Our collective voices can influence them to improve the browsers to suit our needs.

I’m really looking forward to the next Ajax Experience (which should be in San Francisco in April I understand) to see how far along these initiatives have come. Ben Galbraith and Dion Almaer from Ajaxian and Jay Zimmerman of NoFluffJustStuff all deserve accolades for making this show perhaps the most important venue of the current web lifecycle by attracting both the elements and the catalysts necessary to build the brightest future for web applications.

h1

The Ajax Experience Boston Edition 2006

October 21st, 2006

I’m off to The Ajax Experience Boston Edition 2006 tomorrow. It starts Monday morning at the Westin Boston Waterfront.

This show is the event of the season and I’m looking forward to seeing everyone. It’s not just the sessions, it’s also the opportunity to meet top people in the biz – fellow Torontonians Joey deVilla and Pete Forde will be but two of the world class developer folks in attendance.

My presentation will be right near the end of the show on Wednesday at 11:00am in Grand Ballroom C. After lunch we’ll be hearing Brendan Eich‘s keynote speech about Firefox 2 (likely covering some of Javascript 1.7’s new features) just before the wrap-up ceremony.

I’ll be participating throughout the whole show on panels and in discussions, so by all means track me down and say hello.

h1

Classic UI Design Fault

October 17th, 2006

Via fellow Canadian Tech Mobster Bil Simser, I discover EgoSurf, a frivolous site that comes up with a number based on inbound links to your blog from elsewhere on the web and then presents a gauge to boost your ego and a pejorative listing in their recent searches on the main page to tell everyone you’re a putz.

While it’s a clean-looking Web-Me-Too-Dot-Oh interface, they fall prey to one of the most egregiously boneheaded UI design faults I’ve ever seen. If you enter your web address with the http:// protocol, the app recognizes that you have done so and refuses to submit, displaying in red the following message:

Please don’t include the http:// in domains

…at which point, you are forced to manually navigate by tab or click back to the URL entry box and correct the entry yourself by removing http:// and then resubmit.

There’s absolutely no excuse for such stupidity. This isn’t a bank transaction. The program has already determined what’s wrong with the input. Fix it and accept it.

h1

Going down, next floor Basement Level

September 28th, 2006

I said four years ago that I thought America’s empire may have reached its zenith and it might be all downhill from there. The decline has only become steeper, and as I predicted at the time, the pressure has come from within.

Let us all hope that America has reached its nadir when we hear today’s news that among other things Habeas Corpus is a thing of the past for permanent US residents and torture has been redefined to the extent that it is legal if the President says so.

If there is futher to go down this abyss, it’s going to get darker before it gets lighter.

h1

Simplicity begets Stability

September 25th, 2006

I’ve been following advances in the Ajax world so I can keep my Ajax Transport Layer Alternatives presentation up to date for The Ajax Experience in Boston next month.

Harry Fuecks wrote recently about new approaches to Javascript asynchronous calls. It’s really neat stuff and I’m stretching my brain to try to understand it fully. I wonder though to what extent it will actually solve problems that really exist for most people any better than what already exists.

I’ve been making Ajax apps that work well enough for years while many people have been waiting for all the stars to align before they even try it. I’ve had all sorts of flack from pedants for using iframes and img/cookie because they’re hacks, but JSRS and RSLite have worked consistently and predictably across a large number of browsers for 5 years and more without modification. I only changed my Blogchat app to use XMLHttpRequest recently (for no really good reason – it’s been unchanged since 2002) and the first thing that happened was a huge debugging session to figure out a really wonky deep IE7 issue.

The thing about simplicity in the programming world is that it begets stability. The unknowns and dependencies introduced by layers of abstraction and frameworks and preprocessing can in some cases introduce far more potential complexity and maintenance issues than the problem at hand is worth. While there is definitely a class of complex UI problems that are now trivially resolved using the latest and greatest of libraries and frameworks, don’t forget that many simple problems deserve simple solutions.

h1

Ajax Experience Boston 06

September 10th, 2006

Those of you who visit my blog with a browser rather than a newsreader may have noticed that for the past couple of weeks I’ve had a new banner up for the new Ajax Experience show in Boston on October 23-25 2006.

I’ll be there giving my Ajax Transport Layer Alternatives presentation, participating on panels and mixing with the attendees and presenters.

The first AE show was in May this year and was a resounding success for both the experts and the audience.

As I said to Ajaxian founder Dion Almaer when accepting the invitation for Boston, I’m really interested to follow up on the potential advances sown at the last AE and see whether I (have managed to || continue to) exert any influence whatsoever as regards connecting people who need to work together to make this technology realize its potential.

Again the sessions are 90 minutes each, so lots of time for Q&A. Although many of the sessions from the first show are slated to be repeated (many like mine updated with current information), with 5 concurrent tracks, if you attended before this is an opportunity to get to see the ones you missed last time.

The swag was great at the last show – branded AE iPod Shuffles for all. I understand alumni will qualify for a Nano this time!

If you come to the show, be sure to find me. I’ll be fairly easy to find wearing my Ajax duds.

h1

Anticipatory design

September 6th, 2006

Pete Forde reinvents search with his Live Filter demo.

Take particular note of Pete’s never-ending auto-loading page that gets more elements from the result pool as you reach the bottom of the page. Try it yourself – click the View Results button right at the start to see all 64 items, then scroll to the bottom and watch it get the next set of items on demand before you even knew you were demanding them.

Pete and the Unspace folks have been taking serious aim at improving the state of UI interaction for the good of us all. Not content with simply implementing something like OpenRico’s LiveGrid, they apply even more anticipatory design to fixing the scroll-within-a-scroll UI anomaly that LiveGrid introduces to a page that uses it.

The result is that by anticipating a need I didn’t even know I had, they have provided an interface that is natural to use yet very powerful.