Securing Ajax Mashups 
April 3rd, 2007
I just had a chance to read a good article from Brent Ashley over on IBM developerWorks about how to build secure Ajax mashups. He does a quick refresher on the Ajax and Mashup basics and then discusses current and future techniques for ensuring that your Mashup is a secure one.
Today we have little choice aside from including a cross domain JavaScript file in our web page like when making a Google Maps mashup that requires the Google JavaScript to be included in the page. For a secure mashup Brent suggests using the URL fragment identifier with hidden IFrames - this can be a good solution yet both sides of the IFrame need to agree on a protocol and it is limited to less than 256 bytes of data.
Brent also discusses the future solutions that are proposed from the JSONRequest object to the <module> HTML tag.
It will be interesting to see which proposal actually comes to fruition to enable more secure Ajax Mashups. I like the JSONRequest idea though I am still weary of such a proposal even if it doesn’t send cookies and only accepts valid JSON content. Since the proposal comes from Douglas Crockford I understand why it would be called JSONRequest but it would be pretty silly not to have it also accept XML IMHO - XML doesn’t even have any problems with being “exectuted” in the unsuspecting browser like JSON does. Otherwise, I am a big fan of the Flash approach with their cross-domain XML file that lives on the server and specifies to a Flash movie what domains it can load content from.
Entries (RSS)
and