The Business Agility Blog

Why AJAX?

Posted by Derek Roos on February 05, 2008

This one’s a dead give-away. I’ll spell it out anyway.

“AJAX is the most efficient way of delivering complex applications to the widest variety of end-users currently available.” – [me]

So why isn’t everybody using AJAX everywhere?

If you have to ask this question, you haven’t been paying attention. Everybody who is anybody is using AJAX across the board. The canonical examples are of course Google’s GMail and Google Maps. But those are just two examples. AJAX is now the standard for web applications and considered a requirement for most web sites.

So if you want to develop applications for the web, you have to do AJAX.

A lot of companies are having trouble with this but, if you’ve been following the whole Web-2.0 buzz over the last years, you’ll have noticed that the successful ones are doing just fine. So where’s the gap the struggling companies have trouble crossing?

AJAX development is hard. No, let me re-phrase that. It isn’t hard, it’s just time-consuming. The devil is in the details. And there are a lot of details. So if you’re developing a custom AJAX system from scratch, you’ll have to invest a lot of time in details (which costs a lot of time and is therefore expensive in more ways than the obvious one). On the other hand, if you have an existing web application and want to convert it to AJAX you’ll more than likely run into structural architectural problems that seem trivial at first, but will kill your efforts in the last mile. Details, details, details. They matter more than we’re comfortable with.

OK, so AJAX is generally tricky but required. But is it required for reasons that don’t have to do with presenting the end-user with an environment that resembles or behaves like a traditional desktop application?

Sure it is. It’s based on a well-established standard for transmission – HTTP. HTTP is by now the de-facto standard for application communications. Traditionally developers would implement a custom protocol on top of TCP, but these days everyone just uses HTTP. Browsers use HTTP, webservices are HTTP from end-to-end, chat systems use HTTP, even online voice systems use HTTP. And for corporate environments HTTP is a standard that integrates well with logging, caching, proxying, authentication and auditing requirements.

So AJAX uses a universal protocol, ties together standards that are available in just about every browser under the sun and requires no additional third-party components to be installed. I could list additional benefits, but rest assured – AJAX makes the plants grow, the sun go ’round and generally shines light on the world we live in.

Obviously, AJAX is the way to go.

At Mendix we’ve chosen to make AJAX our number 1 application deployment environment.

Let me take a step back here and explain that AJAX, for us, is just an environment. The JavaScript/CSS/HTML combination of AJAX is uniquely suited to mass-deployment. But as applications built in the Mendix environment consist mostly of models, their behaviour, navigation structures and layout – the deployment could just as well happen to a dotNET environment. We have core implementations of the run-time at various levels of maturity in different languages. Getting any of them to full GUI status would be a month or two of work.

But AJAX is the #1 target, so that’s where the development effort goes.

I recently gave a presentation with a colleague to a room full of techies and he changed the behaviour of the demo application on the beamer in the modeler to add some buttons and random things. After pushing the button for regenerating the configuration without restarting the platform someone immediately asked,
‘Hey! Where’s the compilation step?’.
Well, there wasn’t one.

All that had changed was behaviour and the (AJAX) client just picked up the new configuration and ran with it.

So sure, I spend a lot of time screaming at the inconsistent implementations of CSS, HTML, JavaScript, etc in different browsers. Timing issues, rendering status, host environment freakishness drive me up the wall sometimes. Getting the build systems aligned with modules, i18n, l10n, themability, custom layouts and outlandish icon-packs can make me re-consider my career choice.

But having a business analyst with zero programming knowledge put together a complex application in competition with a team of ASP.Net programmers and completing it in a fraction of the time is just so much fun to watch.

It makes it all worth it.

JavaScript development and deployment obstacles

Posted by Derek Roos on March 18, 2007

#1 JavaScript engines in browsers

JavaScript engines in browsers generally seem to be implemented as a single
instance with many contexts.

This works fine in theory, but resource scheduling and throttling appears to be
none-existent.

So a single piece of JavaScript running wild will block the page it’s running
on. And not only that page, but all the others as well because it’s the engine
itself that is feeding all the resources to a single execution chain.

Best case scenario : the ’stop script’ dialog, which makes no sense to most end
users.

Worst case scenario : browser crash.
Solution : sane context-aware resource scheduling and throttling built right
into the browsers.

#2 Shared libraries

A lot of AJAX code is written on top of large JavaScript libraries. Having
those available in the browser would save a lot of load time when going from
site A to site B, who both use the same library.

Having a way to specify a library you want to use in your code where the
browser will simply load it if it’s not available would be nice.

A way of saying

require({
  provider : 'http://dojotoolkit.org/libspec.js',
  version  : '0.9-IO'
});

would save everyone a lot of hassle. Make it signed, with cache-expiration,
etc. If you don’t want to rely on a Dojo/Protoype/etc build, make one yourself
and be your own provider.

#3 Offline storage

A standard way to store data on the browser across sessions would also improve
the state of the Web 2.0. Firefox is working on this, Microsoft is coming upwith something completely Microsoft-centric and non-browser based (thanks for that!)
and Dojo is hacking strings into flash objects (proprietary tech, but works
everywhere).

Something open and extendable that works everywhere, please.

#4 Cross domain scripting considered harmful

A piece of JavaScript code can only access a resource from the URL it was
loaded from. Sounds nice in theory, but there are now so many different ways of
circumventing that restriction in legitimate production usage across the net
that it’s starting to become a little silly to think that evil haxx0rs will be
stopped by this limitation.

Solution : pick a standard and drop the restriction.

#5 JavaScript engine inspection

The internals of most JavaScript engines are really, really hard to get at and
developers are often forced to resort to ’round-about ways to track down leaks,
circular references, etc.

No, I don’t want another debugger to examine my code with, I want an inspector
to examine the state of my code in the context of the JavaScript engine and the
host environment without breaking out the system debugger and having to
reconstruct the whole thing from assembly and C API calls.

And a good one for each major platform, please.

Ajax security perception

Posted by Derek Roos on January 19, 2007

It seems like a month doesn’t go by without a new whitepaper detailing interesting new ways to maliciously apply JavaScript comes out. And this is fine. The problem I have is not with the papers themselves (I enjoy reading them – a lot of novel code appears there) but rather, how the media picks them up. Sure, ‘AJAX is insecure’ makes for clickable headlines, but it’s bad reporting.

When a security issue is reported the first thing that is relevant is discovering whether this is an implementation bug or an architectural flaw. Implementation bugs are fairly trivial to fix (but might have a lot of short-term impact). Architectural flaws are big time trouble.

Ajax security issues tend to fall into neither category. In fact, they usually are not even Ajax security issues. At all.

These issues generally focus on the interesting things you can accomplish as an attacker once you have already breached security by performing a form on how of malicious code injection.

There is nothing inherently insecure about Ajax applications. Their security (or insecurity) depends entirely on how the service provider manages the content delivered to the client.

So the Ajax security alerts don’t really tell us anything about Ajax security in itself. It is by now a well-established maxim in the security community that once an attacker manages to execute arbitrary code on your computer – it’s not your computer anymore. Why would anyone assume the rules have changed because the web jumped up a number in the media?

As an attacker, if you manage to inject your code into a page you can pretty much go hog-wild with the user session. But this is nothing new. For Ajax security the surface area available for attacks is fairly limited. Once you circumvent that the sky’s the limit, of course. There are any number of ways in which it is possible to get around the single domain policy found in all modern browsers. Some of these have even become a de-facto standard for Ajax developers and have lead to comments stating that such policies are pointless (I respectfully disagree here, but more on that later).

The content provider has a trusted role. A function of that role is to sanitize the content. LISP programmers and security programmers have been comfortable with the idea that code equals data and vice versa for a long time. This is for others a rather novel concept, but it’s high time everybody else caught up.

And shifting blame on end-users (a popular activity in the IT world) is simply not acceptable. As developers we have to shield end-users from technological complexity. This includes security. When people use our applications they implicitly trust us. As technology developers we have to honour that trust.

It makes for some interesting food for thought.

The bottom line is that security is hard and we can’t expect end-users to ever comprehend the complexities involved. So dumping security resonsibility on end-users is fairly stupid.

It’s up to us to write decent systems.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.