YOUR FEEDBACK
Immo Huneke wrote: A well written article, an ingenious solution to a real problem often encountere...
Jan. 6, 2009 08:14 AM
Cloud Computing Conference
March 30 - April 1, New York
Register Today and SAVE !..
Did you read today's front page stories & breaking news?
SYS-CON.TV: Cynergy Announcing RIA Development for Silverlight

SYS-CON.TV

2008 East
DIAMOND SPONSOR:
Data Direct
Frontiers in Data Access: The Coming Wave in Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
Intel
Virtualization – Path to Predictive Enterprise
Green Hills
IT Security in a Hostile World
JBoss / freedom oss
Practical SOA Approach
GOLD SPONSORS:
Software AG
The Art & Science of SOA: How Governance Enables Adoption
PlateSpin
Effective Planning for Virtual Infrastructure Growth
Fujitsu
Automated Business Process Discovery & Virtualization Service
Ceedo
Workspace Virtualization
Click For 2007 West
Event Webcasts

2008 East
PLATINUM SPONSORS:
Appcelerator
Think Fast: Accelerate AJAX Development with Appcelerator
GOLD SPONSORS:
DreamFace Interactive
The Ultimate Framework for Creating Personalized Web 2.0 Mashups
ICEsoft
AJAX and Social Computing for the Enterprise
Kaazing
Enterprise Comet: Real–Time, Real–Time, or Real–Time Web 2.0?
Nexaweb
Now Playing: Desktop Apps in the Browser!
Sun
jMaki as an AJAX Mashup Framework
POWER PANELS:
The Business Value
of RIAs
What Lies Beyond AJAX?
KEYNOTES:
Douglas Crockford
Can We Fix the Web?
Anthony Franco
2008: The Year of the RIA
Click For 2007 Event Webcasts
TOP THREE LINKS YOU MUST CLICK ON


AJAXWorld News Desk
AJAX and Mashup Security
Security threats and tips to avoid them

By: Jon Ferraiolo; on behalf of the OpenAjax Alliance
Dec. 3, 2007 09:15 PM

This article provides an introduction to some of the security threats associated with AJAX technologies, particularly when used within mashup scenarios, and then offers a list of recommended best practices.

Understanding the Same-Origin Policy
One of the foundations of Web security is the "same-origin" policy, which is widely implemented by Web browsers, including the most popular ones (e.g., Internet Explorer, Firefox, Safari, and Opera). Browsers implement the same-origin policy as a protection mechanism in order to isolate Web applications coming from different domains, under the assumption that different domains represent different originators. As a result, if applications in multiple windows or frames are downloaded from different servers, they will not be able to access each other's data and scripts. In the context of XMLHttpRequest, the same-origin policy is intended to control an application's interaction with remote servers.

However, the same-origin policy does not offer complete protection for several reasons. It's possible to bypass the same-origin policy in many ways. We'll illustrate some of these later.

Furthermore, even if a Web server is from a trusted domain, it might not be the originator of all of the content, especially in the context of Web 2.0. For example, an enterprise portal server, Web-based mail server, social networking site, or wiki may be trusted, but the contents they host may include input from potentially malicious third parties, which might result in cross-site scripting (XSS) attacks (described later).

Published Dec. 3, 2007— Reads 8,162
Copyright © 2009 SYS-CON Media. All Rights Reserved.
About Jon Ferraiolo
Jon Ferraiolo is an employee of IBM within its Emerging Internet Technologies group. Jon is devoted exclusively to OpenAjax Alliance, where he manages operations and leads many activities.Before joining IBM in 2006, Jon worked at Adobe for 13 years where he was an architect, engineering manager and product manager. Jon has been a speaker at every AJAXWorld conference since October 2006, and has spoken at dozens of other industry conferences in the past couple of years. AJAXWorld magazine has published 6 or 7 articles Jon has submitted over the past couple of years.

About on behalf of the OpenAjax Alliance


LATEST AJAXWORLD RIA STORIES
By Virtualization News Desk
Artifact Software has added Project & Portfolio Management to its SaaS Lighthouse product. The new 5.0 release, code-named Vancouver, provides software professionals with new PPM capabilities that are integrated with Lighthouse's set of lifecycle management features. Both PPM and...
Jan. 8, 2009 05:45 PM
By RIA News Desk
Midnight Coders has launched WebORB PDF Generator, a solution consisting of a SDK and runtime PDF generation engine that enables Flex, Flash, AJAX and Silverlight clients to create PDF documents from application data. The product is designed for organizations that need to support...
Jan. 8, 2009 04:00 PM
By Jeremy Geelan
More than a thousand sites are using Facebook Connect, says Mike Vernal, a member of the Facebook Platform engineering team, in this Exclusive Q&A with SYS-CON's Web 2.0 Journal. Some prominent examples Vernal mentions include Citysearch for local reviews, Joost and Vimeo for vid...
Jan. 8, 2009 09:30 AM
By RIA News Desk
Curl announced the release of Curl Data Kit Data Services (CDK-DS) for enterprise developers building new applications using Adobe Flex or Flash, as well as developers upgrading existing Curl applications. This addition to the Curl Rich Internet Application (RIA) Platform is an i...
Jan. 8, 2009 09:15 AM
By RIA News Desk
BonzoBox, a social homepage, has revealed its product to the public. The website has previously operated under a hidden beta only available to selected developers. BonzoBox is an interactive Web tool that allows people to build their own customized "BonzoBox" home page with live ...
Jan. 8, 2009 09:00 AM
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
Click Here

SYS-CON FEATURED WHITEPAPERS

MOST READ THIS WEEK
By Robbie Cheng
By Maureen O'Gara
By Cloud Computing News Desk
By Maureen O'Gara
By Nicole Schepker
By Frank Salim
By SAP News Desk
By RIA News Desk
By RIA News Desk
By Cloud Computing News Desk
By SOA World Magazine News Desk
By RIA News Desk
ADS BY GOOGLE