Welcome!

Machine Learning Authors: Zakia Bouachraoui, William Schmarzo, Yeshim Deniz, Elizabeth White, Pat Romanski

Related Topics: Machine Learning , Cloud Security

Machine Learning : Article

AJAX and Mashup Security

Security threats and tips to avoid them

This article provides an introduction to some of the security threats associated with AJAX technologies, particularly when used within mashup scenarios, and then offers a list of recommended best practices.

Understanding the Same-Origin Policy
One of the foundations of Web security is the "same-origin" policy, which is widely implemented by Web browsers, including the most popular ones (e.g., Internet Explorer, Firefox, Safari, and Opera). Browsers implement the same-origin policy as a protection mechanism in order to isolate Web applications coming from different domains, under the assumption that different domains represent different originators. As a result, if applications in multiple windows or frames are downloaded from different servers, they will not be able to access each other's data and scripts. In the context of XMLHttpRequest, the same-origin policy is intended to control an application's interaction with remote servers.

However, the same-origin policy does not offer complete protection for several reasons. It's possible to bypass the same-origin policy in many ways. We'll illustrate some of these later.

Furthermore, even if a Web server is from a trusted domain, it might not be the originator of all of the content, especially in the context of Web 2.0. For example, an enterprise portal server, Web-based mail server, social networking site, or wiki may be trusted, but the contents they host may include input from potentially malicious third parties, which might result in cross-site scripting (XSS) attacks (described later).

More Stories By Jon Ferraiolo

Jon Ferraiolo is an employee of IBM within its Emerging Internet Technologies group. Jon is devoted exclusively to OpenAjax Alliance, where he manages operations and leads many activities.Before joining IBM in 2006, Jon worked at Adobe for 13 years where he was an architect, engineering manager and product manager.

Jon has been a speaker at every AJAXWorld conference since October 2006, and has spoken at dozens of other industry conferences in the past couple of years. AJAXWorld magazine has published 6 or 7 articles Jon has submitted over the past couple of years.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
Industry after industry is under siege as companies embrace digital transformation (DX) to disrupt existing business models and disintermediate their competitor’s customer relationships. But what do we mean by “Digital Transformation”? The coupling of granular, real-time data (e.g., smartphones, connected devices, smart appliances, wearables, mobile commerce, video surveillance) with modern technologies (e.g., cloud native apps, big data architectures, hyper-converged technologies, artificial intelligence, blockchain) to enhance products, processes, and business-decision making with customer, product and operational insights.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
OpsRamp is an enterprise IT operation platform provided by US-based OpsRamp, Inc. It provides SaaS services through support for increasingly complex cloud and hybrid computing environments from system operation to service management. The OpsRamp platform is a SaaS-based, multi-tenant solution that enables enterprise IT organizations and cloud service providers like JBS the flexibility and control they need to manage and monitor today's hybrid, multi-cloud infrastructure, applications, and workloads, including Microsoft Azure. We are excited to partner with JBS and look forward to a long and successful relationship.
The Master of Science in Artificial Intelligence (MSAI) provides a comprehensive framework of theory and practice in the emerging field of AI. The program delivers the foundational knowledge needed to explore both key contextual areas and complex technical applications of AI systems. Curriculum incorporates elements of data science, robotics, and machine learning-enabling you to pursue a holistic and interdisciplinary course of study while preparing for a position in AI research, operations, software or hardware development, or doctoral degree in a sector poised for explosive growth.