Tuesday, October 31st, 2006
Douglas Crockford had a great talk at the show last week surrounding JSON, and how we can get to a place where secure ajax mashups are possible.
Brent Ashley just posted about the situation:
Take XMLHttpRequest – calls are limited to the server where the current page originated. Can’t mash up without proxying through the server. Doesn’t scale well.
Take the script tag – you can execute code from another site, however you have no opportunity whatsoever to inspect it for security before it gets executed, meaning there must be a lot of trust in the other end of the transaction and no hope of avoiding man-in-the-middle attacks. Using script tag methods, cross-site cookie access can cause privacy issues. Insecure, undesirable.
What we need is browser features that were designed with mashups in mind. We need them to be added to the browsers without having to wait until IE8 and Firefox 3 (…Safari 3, Opera 10, etc).
We have heard about JSON and JSONRequest, but the new kid on the block is a new html tag <module> that allows you to create secure zones from multiple sites on a single page with controlled communication between them.
I propose a new HTML tag for partitioning a page into a collection of modules.
A module has three attributes. The attributes are
id, which is
used by scripts to gain access to the module node,
is the url of either a script file or an HTML file, and
which is used to set the size and location of the module. (There may turn out
to be addition attributes.)
A module has two nodes. The outer node is exposed only to the outer document.
The inner node is the module’s
windowobject. Scripts on one side
of the module barrier are unable to call scripts on the other side to to access
or modify the other side’s data structures or document structures. Communication
between the outer and inner nodes is permitted only using a send/receive mechanism.
We need to all get behind these proposals, get the process started, and really push for a new browser security module that let’s us take these applications to the next level. What do you think we need?
Posted by Dion Almaer at 8:20 am