Security in Ajax web applications is of growing importance. While the client-server model is very useful for architecting web applications, the web security is model is not client-server, but rather a client-deputy-server model. Understanding this security model is important for building secure web applications, and it is becoming even more important as we build mashups and web applications that utilize cross-site resources.

In a client-server model, the client acts on behalf of the user, and the server trusts the client to the degree that a user is authorized. In the client-deputy-server model, the deputy (the browser) acts on behalf of the user, with suspicion of the client (web page/JavaScript), taking responsibility for some aspects of security, limiting client to client interaction. By understanding the mechanisms for the deputy boundaries, servers can appropriately participate in the security model with proper trust for the browser to act on behalf of the user. We will look at how to secure resources from being accessed from the wrong clients and protect clients from malicious server code.

(more…)

Google and Yahoo have JavaScript APIs that let you perform searches. Wikipedia has a JavaScript API that lets you grab data from its pages. These APIs can be accessed cross-domain with a transport method known as JSONP. JSONP works by allowing you add a script tag to your page which points to a URL on their server. The server outputs JavaScript that will call a method (defined as part of the query string in the URL), passing it JSON-formatted data.

You’ll notice that these services are read-only. I don’t currently know of any cross-domain JavaScript APIs that allow you to write data in any meaningful way. An example of this sort of data would be a way, through JavaScript, to update your status on a social networking web site.

(more…)

The window.name transport is a new technique for secure cross-domain browser based data transfer, and can be utilized for creating secure mashups with untrusted sources. window.name is implemented in Dojo in the new dojox.io.windowName module, and it is very easy to make web services available through the window.name protocol. window.name works by loading a cross-domain HTML file in an iframe. The HTML file then sets its window.name to the string content that should be delivered to the requester. The requester can then retrieve the window.name value as the response. The requested resource never has access to the requester’s environment (JavaScript variables, cookies, and DOM).

(more…)