Tuesday, April 3rd, 2007
Ajax pioneer Brent Ashley has written a Developerworks article about making Ajax mashup secure. It looks at where it’s at today and where it’s all headed.
The scalability benefit of the <script> tag comes at the cost of sidestepping the Same Origin Policy security model, introducing potential attack vulnerabilities:
- Cross-site cookie access becomes possible: Scripts from one site can access cookies from another site.
- There is no opportunity to inspect the retrieved code for safety issues before running it: The code runs immediately upon loading.
One short-term solution is the following IFrame fragment identifier hack.
We’ll hopefully see more flexible, purpose-built, solutions in the future, and Brent’s article summarizes the proposals under discussion – JSONRequest, <module> tag, content restrictions header, W3C Access Control List (ACL) System, Cross-browser.xml.
With all these facilities potentially in the pipeline, one can only hope there will be a clear winner that works in all major browsers, or at least enough overlap that the Ajax libs can provide a straightforward abstraction!!!
Posted by Michael Mahemoff at 6:27 pm