Scott Dietzen over at Zimbra has an interesting blog entry on Securing Ajax. He takes a somewhat unconventional approach, starting with the security advantages of Ajax:

• Dynamic Ajax client download – Ajax client code is downloaded on demand from the trusted server after a particular user logs-in, automatically ensuring client and server versions are in-sync (for public computers, a shift re-load is better in that it overwrites any Ajax code from that website leftover in the browser cache).
• No persistent client caching – An exposure with traditional web clients is that they cache HTML pages that can include user/application data on the client disk during normal operation. This can be a security vulnerability for access from public kiosks or other shared computers. Ajax applications like the Zimbra client cache no user data on disk.
• Server-side control of intranet and Internet mash-ups – Zimlets and other Ajax mash-ups are precluded from accessing arbitrary services on the Internet (unless they open a new iFrame, which can be determined at server deployment time), and must instead (like Java applets) make all invocations back to the originating server (in our case, the Zimbra server). This means the Ajax server can act as a secure, proxy gateway for accessing intranet applications, and can govern which external web services (if any) are accessible for mash-up within the Ajax client.

Among the downsides are the exposure of code on the browser. If you limit yourself to display logic, though, that is mitigated. An interesting article.

Technorati : ajax, security

Share/Bookmark