« Mix '06 | ^ Main | Kode 2 Go Beta Launch »
Ajax + cross-domain.xml
I ran across a few posts today on google regarding the use of a cross-domain.xml within Ajax. There seemed to be several views here but one specifically stuck out. A guy, don’t remember the name and don’t really care, made the statement some people like to do cross-site data calls. Hrrrmmmmm…that’s understandable but for the vast majority who love to keep things secure it seems a cross-domain.xml would fit perfect.
Now, the difference is Ajax is obviously not “built-in” Javascript but at the same time it is. Let me explain. Ajax is a collection of certain elements which a lot of people have coupled into packages/engines, named them, and published them (JSMX, ajaxCFC, Backbase, CFAjax, etc). Now, what I mean by not built-in is all of it is you have control over what the Ajax engine does. In that light, you could tell it to, or not to, use the cross-domain.xml. In Flash, you don’t have this option. If you want to do anything outside of the present domain you need a cross-domain.xml because it is built into the player. Javascript doesn’t have this same “issue” so it is easily avoided.
Security is a huge issue some folks just take for granted. That’s fine but for some of us we like to keep things under tight wraps and highly secure. I’m about in the middle. Security is huge but in some cases it is easy to throw in the sink and add overkill to security. cross-domain.xml in no way is on the side of overkill.
My favorite comment for Ajax is “Ajax is Flash Remoting for Javascript.” (essentially)
What are your thoughts on Ajax security?
Posted by John C. Bland II on March 15, 2006 9:32 PM | Permalink
TrackBack
TrackBack URL for this entry:
http://mt.katapultmedia.com/mt-tb.cgi/75
Comments
I can write a full article on this, but if you want the short version is Ajax should not need to access other domains. Cross-domain is a security hole, and most developers do not realize that.
The short version is that Web Services should be calls from the server side language, not JavaScript. If you call them from JS, it means that the business logic to handle the result is also JS, which IMHO is bad practice. All business logic should seat in the server and JS should only be the presentation layer and XMLHttpRequest is nothing more than a transport. That said, if you need to access a WS, you should invoke it from the server and then update your view. Remoting is slightly different because Flash contains the business logic and it’s compiled in the SWF.. JS can be used the same way, but I strongly advice against it.
Posted by: Rob Gonda | March 17, 2006 6:41 PM