Dave Evartt said the following on 10/21/2009 03:32 PM: > Granted that there are security concerns with hidden calls to the > application, but really, are they really any less secure than the same > call from a browser link. I think not. but it's about the user > experience, and if we're not concerned with that then we can just say, > 'no javascript, no java, no cookies, and nothing but plain old text'. > But since few developers fall into the Luddite category, and ajax really > has nothing to do with the M2 architecture anyway. I wouldn't think > twice about it. > Actually, this is a good point. Most people already have implemented some sort of login / security process via filters or plugins in Mach-II. If you run your AJAX outside of Mach-II, you have to re-create those security measures again which lead to two implementations that are trying to solve the same thing. Running AJAX through Mach-II means you can leverage your already existing infrastructure. Having two implementations is a security concern if one works slightly different than the other.
Just curious why you abort your AJAX events in your example code? If it has to do with Mach-II debugging output, you can programmatically turn that off on an event by event basis (see the doco for the event-arg you need to set). > When it comes down to it, making an ajax call should never be treated > any differently than any other call from the browser, regardless of the > platform the application runs under, since it is always under the > direct control of the browser anyway. > I totally agree normal browser requests and AJAX requests are just plain old HTTP calls. It's just that AJAX is inside the user agent already so it's probably going to do more stuff. They both of be secured the same way. You can do some additional security because most AJAX libraries some additional information in the user agent string and/or HTTP request headers that identify it as an AJAX request. You could easily write a plugin that looks for this information for AJAX events in Mach-II. This would disallow the casual person from requesting that even via the browser url -- however it's no replacement for true security in case somebody spoofs headers / data via some other mechanism. > All of this is of course, just my opinion. your mileage may differ. > Jordan, I'm curious where you read AJAX through Mach-II is bad. I think is the past a few people have vocalize that they thought this might be bad, but I've never been very convinced due to the lack of reasons. Bad for bad sake isn't true reason to me. I guess Team Mach-II has never really said otherwise to use AJAX in Mach-II, but from what we've talked about for future versions of the framework -- AJAX integration / hooks / tools for you to use will be expanded (my arm is being twisted a bit by former team member Kyle Hayes to use DOJO -- he just wrote a book on DOJO and I must admit people are over looking that framework). Best, .Peter --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to Mach-II for CFML list. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/mach-ii-for-coldfusion?hl=en SVN: http://greatbiztoolsllc.svn.cvsdude.com/mach-ii/ Wiki / Documentation / Tickets: http://greatbiztoolsllc.trac.cvsdude.com/mach-ii/ -~----------~----~----~----~------~----~------~--~---
