Some people think we should remove the "same-domain" restriction from Ajax calls, and Eric Pascarello and xml.com (amongst others) don't. I don't think we've got to the bottom of the debate yet.

Eric has 2 points:

• "script kiddies", although he doesn't elaborate on how cross-domain XHR will help them
• and the problem of slow 3rd party websites, which proxying and caching can solve.

So lets try to dig into this a bit.

I can see 2 concrete security concerns with allowing cross-domain XHR: Resource theft and cross site scripting. Can anyone think of any others?

Resource Theft

Resource theft can happen when Jack Innocent visits the website of Evil Bob. Evil Bob has written some XHR code that repeatedly requests compute expensive pages from the site of Victim Inc. Thus Evil Bob gets to use Jack Innocent to do his nasty work.

Sounds bad? In reality I think this is a bit of a non issue for 2 reasons - Firstly, Evil Bob can do this anyway using iframes - just create a hidden iframe with the resource expensive URL and secondly the referrer header will give him away.

I think we know from experience with iframe, that cross-domain XHR won't be a huge resource theft issue.

If the rest of the Internet was squeaky clean then resource theft might be an issue here, but frankly given the mess the Internet is in, stopping cross-domain XHR because of resource theft issues is like telling Sony BMG they should have a green background to XCP because people find green backgrounds less intimidating.

Cross Site Scripting

The second issue is cross-site scripting. Any time you let someone else add code to your pages you trust them to do anything that anyone can do using your web interface (remember Sammy).

Who's scared of Google? Something else to worry about: Anyone using Google Analytics (like me) is trusting them with the keys to the interface to your website. Google could pull an XSS attack on anyone using Analytics.

The same issue holds with cross-domain XHR, so unless you are very careful with how you do your XHR call you trust the 3rd party web site. In some cases this trust will be well placed in some cases it won't.

Should we ban cross-domain XHR because of XSS attacks? I'm not sure, but be sure of this: there are plenty of ways to allow XSS attacks on your site without cross-domain XHR.

Slow 3rd Party Web Sites

Eric's second issue was:

"What if your server is in the US, the client is in the US, and the remote service is in India. The request has to travel halfway around the world and back to retrieve the same information it could have had on its US server. You are talking increased time having to wait for information."

Ajax brings you plenty of opportunities to shoot yourself in the foot. If I had a dollar for every time I heard someone argue, "Ajax means slow websites due to thousands of small requests" then I'd need to go to a bank because dollars are no use to me; I live in the UK. But I'd also be better off than I am now.

If you design your website to use thousands of small requests then you are asking for trouble - so don't do it! Likewise if you design your website to depend on a slow resource then expect your website to be slow. Eric is right; proxy caching is a great solution to this problem, but let's not ban cross-domain XHR because people can do silly things with it.

Why Do People Want Cross-Domain XHR?

Because it makes SOA happen in a way that it can't now. Currently if I think of a great mash-up, I will need a fancy server to make it happen, I have a lot of unnecessary extra coding, and when I get Digged or Slashdotted, I'm dead. With Cross-Domain XHR, all I need is Ajax and I'm all set. No server side computation required, no server side coding, no needing to make calls out of your server, life is a lot simpler and you have a much greater chance of surviving becoming famous.

But

To a certain extent the debate is mute - I doubt very much if Firefox 1.5 or IE7 are going to change their current behaviour. So let's not pretend this is a debate for now. Maybe in a year's time or so...

Before you go thinking I'm all for cross-domain XHR, I'm not. Yet. The security implications of such an action needs to be thought out. Carefully. My only point is that I've yet to think of a reason why the worlds crackers are desperate to get their hands on cross domain XHR.

So what security implications have I not thought of?

The permanent home of this article is here. I've enabled comments on that page. Sorry for the hassle.

Read more...

DWR keeps getting put into interesting new places, 3 cool ones this week. Confluence v2.0 has just been released by Atlassian and it uses DWR. I've not had chance to play with it so far but it's cool to see Ajax and DWR getting into bigger bits of software.

A few weeks ago I got interviewed by Dion for Ajaxian. We did the interview over Skype and it surprised me how good the call quality was - I'd given up with Skype a few times in the past because the call quality was so rubbish, but I guess there are enough users in the UK now that their P2P systems are better at transferring data - the Ajaxian interview sounds very clear. The recent blog entry on single-page vs. multi-page Ajax was as a direct result of thoughts that came up in the interview. Thanks for the interview guys!

Finally I'm going to the Javagruppen / Hindsgavl 06 conference where I'll be speaking on DWR. It looks like it will be a cool conference.

There's a great series of articles on Developer Works about Ajax by Phil McCarthy. The latest is about DWR.

It's well worth a look here.

The Firefox Javascript debugger has been looking a bit unloved and quite a few people have been using my patch, so I've created a new home for the patch. The new page is a much better place to link to than the old blog entry.

The new page has the advantage that I've done the install wizardry to make Venkman installable directly without needing to download it first.

There is a known bug where you can't launch Venkman twice in a browser session. I think this is because the close button on Venkman just hides the window rather than releasing all the resources.

If you want to install Venkman on Firefox 1.5, you know where to go.

Technorati tags: javascript, debugging, venkman, firefox

I've never been to Denmark before, but it seems like anyone that knows anything about content management is off to Aarhus for cmf2005.

I'm doing an introduction to Ajax talk and running half day tutorial on Ajax with Jonathan Downes, both of which should be fun. I'll put the slides up somewhere soon.

One of the things the Java community often gets wrong is how we use the phrase CMS. From what I can see the content management world distinguishes between Web CMS (what we often call a CMS) and the other types of CMS - that handle document management or work-flow.

Content management is a massive growth area, and one where user-interface is really really important so it will be fascinating to see how Ajax takes off in this space.

Technorati tags: cmf2005, ajax, cms

Responses[2]

Posted by Joe Walker on 04 November 2005 09:57:22 GMT #

10 years ago we noticed how fast things were changing and invented the phrase 'Internet time'. Is it just me or is I.T. changing much faster now than it was 10 years ago?

Maybe the progression goes:

• Greenwich Mean Time (1884)
• Internet Time (1995)
• Ajax Time (2005)

When does bullet time arrive?

Responses[1]

Posted by Joe Walker on 02 November 2005 15:45:57 GMT #

You've designing an Ajax web application, do you plan to have multiple pages or a single page? So far I've not seen much informed debate about how to decide, so here are the pointers that I've gathered from the several Ajax web applications that I've developed so far.

Read more...