Friday, September 28th, 2007

Gears and the Mashup Problem

Category: Google, Presentation, Yahoo!

<p>Douglas Crockford popped up the road from Sunnyvale to chat with Googlers on the topic of Gears and the Mashup Problem:

Mashups are the most interesting innovation in software development in decades. … all » Unfortunately, the browser’s security model did not anticipate this development, so mashups are not safe if there is any confidential information in the page. Since virtually every page has at least some confidential information in it, this is a big problem. Google Gears may lead to the solution.

Douglas played the role of the curmudgeon with his usual panache and hit at the problems that he sees with the Open Web, and the direction he would like to see people going. He was excited about WorkerPool for the sandbox perspective, and also discussed many JSON*-y things.

We are excited to have Douglas speaking and participating at The Ajax Experience once again.

Posted by Dion Almaer at 8:22 am
13 Comments

++++-
4.6 rating from 28 votes

13 Comments »

Comments feed TrackBack URI

Interesting use of Gears, to get around the browser security model issues. Another option for mashup platform developers is to utilize a network-proxy-based sandbox, running entirely separately from the browser. This is what we’re doing over at Orchestr8, with our mashup platform.

Comment by Elliot — September 28, 2007

…Crockford invented JSON, got us all thinking about the possibilities of secure Cross Site Scripting with JSONRequest… add his Mashup guidance with Gears to the list of why Doug Crockford is a great leader in the JS community. He is the “Yoda of JavaScript” indeed. …thanks for the insightful video, Dion/Ajaxians and Google!

Comment by Mark Holton — September 28, 2007

Everything becomes a mashup…look at facebook.

This is good stuff. Thanks for posting it

Comment by EmEhRKay — September 28, 2007

Nice idea… the facebook accessing gmail example is a perfect example of this need…

side note… can someone at ajaxian fix the star rating system? the rating on this post is 4.8 of 11 posts… but only 4 stars are showing…

Comment by Owen — September 28, 2007

I have enormous respect for Douglas, but I must say I find it a bit embarrassing on his behalf that he speaks about a platform that more or less the entire world now regards as the future as “broken”…
Also security issues are more or less non-existent if you use JS for what JS was supposed to be; a rendering mechanism for widgets, nothing more nothing less. Let the Business Logic run on the server 100% isolated from the JavaScript and let the JS take care of rendering the widgets. That solves at least 95% of all security issues. And third I must confess that speaking of a tool (Gears) that basically makes your server become nothing more than a “database” as “the solution” is just embarrassing…
1/10 points Douglas…

Comment by Thomas Hansen — September 29, 2007

Thomas-
Your comments are a bit embarrassing. How does one control the
business logic when you do not contol the server side? The whole
point of the talk was how one secures the “modern” method of web
“mash-ups” where the logic and data comes many different sources.
You describe the old web, where such a thing was not available.

Comment by Andrew Kornak — September 29, 2007

Nice talk.

I’m a little iffy on why JSON is more secure than XML. I like JSON, I really do, and particularly because my favorite serverside language, Python, does it particularly well , but what worries me, is that because JSON is so similar to code, it tends to encourage fairly naive deserialization. I can get something fairly big pushed at me, and I point it to the automagical deserialization bucket and it transmogrifies into a data object.

The problem for me, is that this is dangersous, particularly if your using dynamic or functional languages, and double so when you contemplate active web services, because a data object can be somewhat executable. XML’s common method of having a pre-agreed contract for data format means that if the object is dodgy, it’ll spit it out and tell you to get stuffed.

But damn it, JSON is nice.

Comment by Shayne — September 30, 2007

@Andrew Kornak
I think you misunderstood me, and when I read my own comment I understand why in fact too. My point is that I think JS is a rendering mechanism for widgets but ALSO (off course) the transport mechanism between the server and client. If you had followed my link you would probably understand that there was no way I am able to not believe in XHR… ;)
Today a lot of people are using JS as the “new platform” and I think that’s a “dead end” and that the correct way to do Ajax is to think of it the same way we think about CISC x86 OP codes. Necessary for the program to run but you don’t want to create them by hand. You want your “compiler” (read; Ajax Framework) to create them automagically for you…

Comment by Thomas Hansen — September 30, 2007

It’s a little scary to watch a great number of people get suckered by a spokesman for the corporate machine. I believe Crockford really believes what he’s saying. Which is even scarier.

1. His primary goal is to scare developers into buying into the technology of corporate tyrants trying to control every aspect of your online experience. Do not use gears. Do not use follow Adobe. Do not use any framework provided by search engines or other control freaks. Think about why you should work to improve a product aimed at controlling all future browser based application development — and YOUR options. And you probably rant about Microsoft at parties…

2. Public information should remain public. The issue isn’t whether non-public (secure data) should be protected: it’s why should public data be wrapped in a secured environment. This is called selling the devil your soul for a trifle.

3. If you aren’t transacting, you don’t need anything Crockford’s talking about. And if you are — how the hell can you believe that you need some new theory of website design to make your site secure? Because your accordion can’t send credit card info via xmlhttp timed with a fade to a lightbox? Here’s some advice: your user only cares about filling in a form and pressing a button on a page where they see a little lock in the chrome, and an https in the address bar.

4. Blaming the user. A nice theory about bad security models. It’s also a nice way to have you give up your freedom so that you can feel safe. It IS your fault if you give some 2.0 startup the login info to all your email accounts and someone (internal or external) snoops that info. Let me put it another way: Should the government legislate the build and type of your computer and operating system to prevent you from stupidly opening an .exe and spreading a virus? Think about it. How about: should a corporate entity whose only goal is exactly to track your behaviour, track your spending, control your options, funnel your abilities and interests, and profit greatly on your labour be given control over how future web applications are built? Or is the idea that Google and Yahoo, because they’re all smiley and new-age, are creating these frameworks out of pure benevolence? Still think that about Apple? Think that Facebook is there because they really, really, really want old friends to connect?

5. Complexity. In other words, an absurdly limiting, historically ignorant, old-school way of thinking. Crockford wants us all to start using a repackaged Microsoft IDE (change name as you see fit). Don’t tell me that he’s only talking to SERIOUS developers. He’s not. He’s talking about the ENTIRETY of the Ajax MOVEMENT. Listen again if you dare to disagree. He is saying that THE FUTURE OF DEVELOPMENT is at risk. The most technical point: This inititiative will never take off. Oh, some stuff will happen around it — stuff representing .01% of new ideas and developments with 99% of the media face. Don’t follow the piper.

6. Once again: why do you wan to spend YOUR time learning a CORPORATE framework so that THEY can profit and YOU can MAYBE get a dead end job plugging widgets into Microsoft Sharepoint (or whatever Crockford called it). It’s already bad enough how development jobs that used to be about NEW ideas (skilled developer in Javascript, etc.), now read like this: must know Dojo, must talk Prototype…. don’t be a cow, man.

Comment by jimbob — September 30, 2007

I’m surprised no one else mentioned the stunning silence at the end of this video. It’s obvious from the comments here that what he’s saying is incendiary on a number of levels, but the mood in the room felt unusually restrained. Maybe it’s just the video?

Comment by Chris Snyder — October 3, 2007

the good lecture . i do it now. thank you

Comment by دردشة — November 11, 2007

lecture fairly long, but I benefited somewhat .

Greetings to all .

Comment by شات — November 11, 2007

nice lecture so interesting thank you
?? ????

Comment by Mido — August 28, 2009

Leave a comment

You must be logged in to post a comment.