Comments on: Kevin Lynch at the Ajax Experience http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience Cleaning up the web with Ajax Thu, 09 Feb 2012 06:55:33 +0000 hourly 1 http://wordpress.org/?v=3.2 By: Ethan Malasky http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253503 Ethan Malasky Thu, 02 Aug 2007 23:22:00 +0000 http://ajaxian.com/?p=2615#comment-253503 pdp -- Ah, I see your point. You are not wrong. In your example, B.com's data is more vulnerable, since any client it permits (A.com) may have XSS vulnerabilities. However, A.com is *less* vulnerable, since it no longer has to rely on JSON importing in order to access B.com's data. It can load the data via XmlHttpRequest and not fear that man-in-the-middle attacks or ownage of B.com would render its own site (A.com) vulnerable. That's the point I was trying to make. As a whole, I think it's an improvement, since the risk is assumed by the data provider, rather than the consumer. But depending on your role, it'd be reasonable to feel differently. If you're the data provider, you might prefer that your clients assume all the risk. -Ethan pdp –

Ah, I see your point. You are not wrong.

In your example, B.com’s data is more vulnerable, since any client it permits (A.com) may have XSS vulnerabilities.

However, A.com is *less* vulnerable, since it no longer has to rely on JSON importing in order to access B.com’s data. It can load the data via XmlHttpRequest and not fear that man-in-the-middle attacks or ownage of B.com would render its own site (A.com) vulnerable.

That’s the point I was trying to make. As a whole, I think it’s an improvement, since the risk is assumed by the data provider, rather than the consumer. But depending on your role, it’d be reasonable to feel differently. If you’re the data provider, you might prefer that your clients assume all the risk.

-Ethan

]]> By: pdp http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253338 pdp Mon, 30 Jul 2007 23:08:38 +0000 http://ajaxian.com/?p=2615#comment-253338 Ethan, I understand what you are saying. However, what I am trying to say is that with or without crossdomain.xml, XMLHttpRequest objects and JavaScript remoting hacks work. Let me make it clearer. :) Due to the Same Origin Policies JavaScript can access only the current origin. Even if you implement the crossdomain.xml file, JavaScript again will be able to access the current origin. Why? Compatibly issues. We cannot move to the new technology over the night. With or without crossdomain.xml JSON or JavaScript remoting, if you like, will still work. The only thing that will change is increased attack surface due to the trust relationship between apps. Let me explain. Let's say that we have app on A.com and another one on B.com. B.com says that A.com can access its data. Effectively, this means that If I can get XSS on A.com, I will be able to read the data on that domain including the data on B.com due to the trust relationship. Today this is not possible. I need two XSS vulns rather the one. Again, correct me if I am wrong :) Ethan,

I understand what you are saying. However, what I am trying to say is that with or without crossdomain.xml, XMLHttpRequest objects and JavaScript remoting hacks work. Let me make it clearer. :)

Due to the Same Origin Policies JavaScript can access only the current origin. Even if you implement the crossdomain.xml file, JavaScript again will be able to access the current origin. Why? Compatibly issues. We cannot move to the new technology over the night. With or without crossdomain.xml JSON or JavaScript remoting, if you like, will still work. The only thing that will change is increased attack surface due to the trust relationship between apps. Let me explain.

Let’s say that we have app on A.com and another one on B.com. B.com says that A.com can access its data. Effectively, this means that If I can get XSS on A.com, I will be able to read the data on that domain including the data on B.com due to the trust relationship. Today this is not possible. I need two XSS vulns rather the one.

Again, correct me if I am wrong :)

]]> By: Ethan Malasky http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253335 Ethan Malasky Mon, 30 Jul 2007 22:41:39 +0000 http://ajaxian.com/?p=2615#comment-253335 pdp, I need to correct you. There are different attacks being addressed. Same-domain restrictions on data loading (e.g. XmlHttpRequest) are intended to protect the server hosting the *data*. Imagine, for example, servers behind a firewall. They should not be automatically query-able by external content running in a browser. However, this restriction in the browser provided no means for servers to *permit* cross-domain data access. crossdomain.xml addresses this limitation with an explicit permission mechanism. JSON output also addresses this restriction, but opens up an opportunity for attack to server hosting the *requesting application*. Loading a .js file from another domain opens up your web app to attack. The loaded JS is essentially imported into your app's domain, giving it full privilege to query your app's server -- complete with session credentials! So, further use of crossdomain.xml for real data loading via XmlHttpRequest should reduce the use of cross-domain JSON for otherwise safe data loading operations. pdp, I need to correct you.

There are different attacks being addressed. Same-domain restrictions on data loading (e.g. XmlHttpRequest) are intended to protect the server hosting the *data*. Imagine, for example, servers behind a firewall. They should not be automatically query-able by external content running in a browser.

However, this restriction in the browser provided no means for servers to *permit* cross-domain data access. crossdomain.xml addresses this limitation with an explicit permission mechanism. JSON output also addresses this restriction, but opens up an opportunity for attack to server hosting the *requesting application*.

Loading a .js file from another domain opens up your web app to attack. The loaded JS is essentially imported into your app’s domain, giving it full privilege to query your app’s server — complete with session credentials!

So, further use of crossdomain.xml for real data loading via XmlHttpRequest should reduce the use of cross-domain JSON for otherwise safe data loading operations.

]]> By: pdp http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253323 pdp Mon, 30 Jul 2007 15:19:19 +0000 http://ajaxian.com/?p=2615#comment-253323 IMHO, crossdomain.xml wont solve anything but will increase the attack surface. Keep in mind that there is a big difference between XMLHttpRequests and JavaScript remoting. I cannot see why simple JavaScript includes should be restricted by the crossdomain.xml file. Therefore, given that fact that almost every service provides JSON output, you will increase the attack surface by making XMLHttpRequest calls not only available to the current origin but also to other websites. Correct me if I am wrong. IMHO, crossdomain.xml wont solve anything but will increase the attack surface. Keep in mind that there is a big difference between XMLHttpRequests and JavaScript remoting. I cannot see why simple JavaScript includes should be restricted by the crossdomain.xml file. Therefore, given that fact that almost every service provides JSON output, you will increase the attack surface by making XMLHttpRequest calls not only available to the current origin but also to other websites. Correct me if I am wrong.

]]> By: riper http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253313 riper Mon, 30 Jul 2007 10:38:30 +0000 http://ajaxian.com/?p=2615#comment-253313 cross-domain-policy sounds great ! cross-domain-policy sounds great !

]]> By: greg huddleston http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253288 greg huddleston Sat, 28 Jul 2007 19:08:45 +0000 http://ajaxian.com/?p=2615#comment-253288 Hi. Pulled 'favideo' yesterday & it works pretty good. No mention in notes about proper syntax to point to a Adobe media &/or red5 based RTMP stream. I would expect it to do this. Anyone know of some docs/release notes with an example of such? Cheers GregH Hi. Pulled ‘favideo’ yesterday & it works pretty good.

No mention in notes about proper syntax to point to a Adobe media &/or red5 based RTMP stream.

I would expect it to do this.

Anyone know of some docs/release notes with an example of such?

Cheers GregH

]]> By: Pixy Misa http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253258 Pixy Misa Fri, 27 Jul 2007 20:51:34 +0000 http://ajaxian.com/?p=2615#comment-253258 Early web applications had a lot in common with mainframe apps. The browser acted like a block-mode terminal, only with pictures and lousy error handling. Early web applications had a lot in common with mainframe apps. The browser acted like a block-mode terminal, only with pictures and lousy error handling.

]]> By: Mark Holton http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253251 Mark Holton Fri, 27 Jul 2007 18:12:56 +0000 http://ajaxian.com/?p=2615#comment-253251 ...btw, love hearing as much as possible about E4X, the syntax is clean, and the fact that XML has become a primitive in ES (JS/AS) is applauded. Wondering: does anyone have any links related to quantitative performance of E4X vs other DOM traversal methods?? Would like to see benchmarks { this one is a start (the Ajaxians posted awhile back): http://ajaxian.com/archives/census-ria-data-loading-benchmarks http://www.jamesward.org/census/ } …btw, love hearing as much as possible about E4X, the syntax is clean, and the fact that XML has become a primitive in ES (JS/AS) is applauded. Wondering: does anyone have any links related to quantitative performance of E4X vs other DOM traversal methods?? Would like to see benchmarks { this one is a start (the Ajaxians posted awhile back):
http://ajaxian.com/archives/census-ria-data-loading-benchmarks
http://www.jamesward.org/census/ }

]]> By: Mark Holton http://ajaxian.com/archives/kevin-lynch-at-the-ajax-experience/comment-page-1#comment-253250 Mark Holton Fri, 27 Jul 2007 18:03:39 +0000 http://ajaxian.com/?p=2615#comment-253250 Always like Ben's writeups, they are comprehensive. Many thanks for the great info! ...Although crossdomain.xml for Flash has been around awhile, I like that Adobe is getting the word out about that. It would seem 'cleaner' for a straight Ajax app to be able to get info cross-domain in straight JS through the browser, but it's not like it's that much extra to include a Flash .swf and write a little extra code to accomplish a similar x-domain transport. (Likewise, I always like it when there is a 'push' from a group or company to increase motivation for other platforms towards a worthwhile technology) Always like Ben’s writeups, they are comprehensive. Many thanks for the great info! …Although crossdomain.xml for Flash has been around awhile, I like that Adobe is getting the word out about that. It would seem ‘cleaner’ for a straight Ajax app to be able to get info cross-domain in straight JS through the browser, but it’s not like it’s that much extra to include a Flash .swf and write a little extra code to accomplish a similar x-domain transport. (Likewise, I always like it when there is a ‘push’ from a group or company to increase motivation for other platforms towards a worthwhile technology)

]]>