Welcome!

Jon Ferraiolo

Subscribe to Jon Ferraiolo: eMailAlertsEmail Alerts
Get Jon Ferraiolo via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: RIA Developer's Journal, Enterprise Mashups, OpenAjax Alliance News

RIA & Ajax: Article

AJAX and Mashup Security

Security threats and tips to avoid them
By Jon Ferraiolo, on behalf of the OpenAjax Alliance
Article Rating:
December 3, 2007 09:15 PM EST
Reads:
 9,155

This article provides an introduction to some of the security threats associated with AJAX technologies, particularly when used within mashup scenarios, and then offers a list of recommended best practices.

Understanding the Same-Origin Policy
One of the foundations of Web security is the "same-origin" policy, which is widely implemented by Web browsers, including the most popular ones (e.g., Internet Explorer, Firefox, Safari, and Opera). Browsers implement the same-origin policy as a protection mechanism in order to isolate Web applications coming from different domains, under the assumption that different domains represent different originators. As a result, if applications in multiple windows or frames are downloaded from different servers, they will not be able to access each other's data and scripts. In the context of XMLHttpRequest, the same-origin policy is intended to control an application's interaction with remote servers.

However, the same-origin policy does not offer complete protection for several reasons. It's possible to bypass the same-origin policy in many ways. We'll illustrate some of these later.

Furthermore, even if a Web server is from a trusted domain, it might not be the originator of all of the content, especially in the context of Web 2.0. For example, an enterprise portal server, Web-based mail server, social networking site, or wiki may be trusted, but the contents they host may include input from potentially malicious third parties, which might result in cross-site scripting (XSS) attacks (described later).

Published December 3, 2007 – Reads 9,155
Copyright © 2007 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Jon Ferraiolo

Jon Ferraiolo is an employee of IBM within its Emerging Internet Technologies group. Jon is devoted exclusively to OpenAjax Alliance, where he manages operations and leads many activities.Before joining IBM in 2006, Jon worked at Adobe for 13 years where he was an architect, engineering manager and product manager.

Jon has been a speaker at every AJAXWorld conference since October 2006, and has spoken at dozens of other industry conferences in the past couple of years. AJAXWorld magazine has published 6 or 7 articles Jon has submitted over the past couple of years.

More Stories By on behalf of the OpenAjax Alliance

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.