LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

MIX - Novell's de Icaza criticizes Microsoft patent deal (LinuxWorld)

MIX - Novell's de Icaza criticizes Microsoft patent deal (LinuxWorld)

Posted Mar 15, 2008 14:36 UTC (Sat) by jschrod (subscriber, #1646)
In reply to: MIX - Novell's de Icaza criticizes Microsoft patent deal (LinuxWorld) by Los__D
Parent article: MIX - Novell's de Icaza criticizes Microsoft patent deal (LinuxWorld) 

Sorry, but I can neither parse your post, nor do understand what you want to tell me.

First, there seems to be a verb or an adjective missing in your first sentence part before the
comma. I shall have what? For the sake of discussion, I assume the `AJAX layer' is `broken' or
`wrong' or some similar. I also assume that you mean the server-side of AJAX programming with
`AJAX layer' in that sentence.

Then, I don't understand what you mean with the ``browser part''. The browser has not played
any role in this discussion sub-thread up to now.
If you want to say that server-side problems are bigger than browser-side problems, we are in
full agreement. I did never said otherwise. I said that there *are* many applications with
server-side problems. One needs only to look at the SANS security mailing or at any
vulnerability disclosure mailing list, loads of Web applications with server-side problems are
out there.

That said, I differ that AJAX doesn't change anything here. AJAX radically enlarges the number
of server requests that an application has to realize. Alone with that enlargement, the risk
of programming errors is enlarged. In addition, these additional requests are often not
properly integrated into Web application frameworks. Take Java Server Faces, for example:
There you have input conversion and validation as part of the framework. I.e., they are done
automatically. Enter AJAX, and that part is either not there any more, one has to program
process listener classes and do the validation manually or one has to use ajax4jsf (which is
very complicated to get right). Similar problems exist for other frameworks like Struts or
Tapestry.

Of course, if would be nice if any programer would completely validate any input he receives
and realizes these checks without any errors. But in the world where I'm living, and this is
also the world that is reported about by SANS and all security mailing lists, this does not
happen, though. In my  world, framework support for *automatic* input validation / output
checking is extremely important to get better security into Web applications.

Therefore, I differ with your last statement: AJAX CAN make your application less secure:
Since many (popular) Web application development frameworks don't automatically support
server-side conversion and validation of AJAX requests' input parameters, programers have to
realize them by hand. And that is more error-prone, thus creates a higher risk and thereby
lowers the application's security.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds