Yes, the security issues are pervasive. Read "Ajax Security" by Billy
Hoffman @ SPI Dynamics (now HP) for a great review of these concerns.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Feb 8, 2008, at 11:20 AM, shawn gorrell wrote:
Charlie, my main issues with AJAX are dealing with cross-browser
issues, and security.
AJAX exposes some of the most annoying cross-browser DHTML sort of
things. Using libraries and frameworks can insulate you from that to
a degree, but not always completely. I've got a customer doing
things with Google Maps and we've had some differences between IE
and FF that have been difficult to solve.
People have gotten so excited about using AJAX that they have
forgotten basic security principles (things like validating input).
I recently read an article that discussed the security holes in the
more commonly used frameworks, so the issue isn't just with roll
your own AJAX, it is more pervasive.
But, those things said, ultimately I think it is a step forward in
making a richer browser experience (not as much as Flex though).
There are just some fleas on the dog that folks should be aware of
in advance.
----- Original Message ----
From: Charlie Arehart <[EMAIL PROTECTED]>
To: [email protected]
Sent: Friday, February 8, 2008 10:58:47 AM
Subject: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
That seems a curious statement, Forrest, and I'm sure some would
enjoy a
bit of discussion on it. For those who weren't following closely, he
had
asked first about some challenges using a CFX_google custom tag, and
in the
replies he was told that it's quite old and instead Google favors
some Ajax
APIs instead. Forrest replies he hoped the "Ajax thing would just go
away".
So, do you realize that Ajax is merely a way to make browsers
smarter? It
enables them to make calls to remote servers. Sure, we could do that
in the
past with Java applets, ActiveX controls, Flash, and even plain
Javascript.
And we could of course do it from the server using either REST or
SOAP apis.
Ajax is just a simplified API to enable that very javascript-based
client-server interaction. For those who need to talk to servers from
clients (either because they can't or don't want to involve a server
to
proxy the communications for them), we don't want them to go back to
Java
and ActiveX, do we? :-) And while we may wish everyone would use
Flex, it's
just not likely. Many will, for the much larger problem space it
solves, but
for the average web developer, it's not really as simple as dropping
in some
AJAX API calls.
If Google (or other vendors) want to create a way for people to
connect, and
they want to make it work regardless of what web app server platform
people
use (and as well for those who have no server), and they provide an
Ajax-based API to what (I suppose are otherwise REST-based)
services, that's
seems to be just being smart, widening the pool of possible users.
Look at it another way (for us CFers), they (like Amazon, Ebay, and
others)
could instead just document calling from Java, ASP.NET, and PHP.
They tend
to not go that one step further to include CF. At least by their
offering a
platform-agnostic solution that doesn't require any server-side
processing,
they've helped more than just those who have no server to make calls
from.
Just some thoughts. I'm not fanatical about all this, and I may well
myself
be missing a point. But since this is the ACFUG "discussion" list,
that
comment seemed one worth discussing. :-)
/charlie
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C.
Gilmore
Sent: Thursday, February 07, 2008 5:30 PM
To: [email protected]
Subject: Re: [ACFUG Discuss] JVM version and ColdFusion
Thanks, Charlie. Your comments were very helpful!
I have been hoping that this AJAX thing would just go away, as it
seems to
be to be a step backwards, but it looks like it will be around a while
longer!
Forrest C. Gilmore
========================
Charlie Arehart wrote:
> Forrest, I realize you've perhaps abandoned the effort, but I'll
throw
> out some clarification if it's useful, first about the JRE/CFX
issue,
> then about calling the google search APIs.
<snip>
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
