I've been taking a close look at AJAX and Mashup security for a couple of weeks now, and I've stumbled upon two things which I thought I should blog about, so here goes:
"AJAX Security" Book
I've read several raving reviews on the "AJAX Security" book by Billy Hoffman and Bryan Sullivan, and I'd like to join the reviewers and attest that this book is simply excellent. The book covers everything you need to know about AJAX security, including a thorough background, simple and clear examples, and it covers everything from regular web application security issues, to obscure Mashup security issues, and even offline Ajax applications (e.g. Google Gears, etc.). If you are into AJAX security, this book will definitely be a great companion. Kudos to Billy & Bryan!
SMash
While reading the aforementioned AJAX security book, I've noticed that Mashup security is still in its infancy, and I was pondering on some of the problems that arise from mashing up contents from different trust domains into a single web page (obviously, originating from a single domain). The book talks about IFrame jails, and some of the issues with that solution, and even suggests some interesting techniques for securing mashups - but I wanted to direct your attention to a very interesting solution / technology that was built right here at IBM Research, and is freely available for everyone. This solution is called SMash (stands for Secure Mashups). Here's a short description of SMash from the OpenAjax web site:
IBM Research has contributed an important and major set of open source technology called “SMash” (secure mashups) to OpenAjax Alliance. SMash is a set of technique and open source JavaScript that runs in today’s browsers (without extensions or plugins) and enables secure handling of 3rd party mashup components.
SMash accomplishes its magic by placing mashup components in separate IFRAMEs (each using a different sub-domain). Cross-frame communications in today’s browsers is accomplished using the
window.location
fragment identifier. The highest level mashup application manages all communications between itself and among the mashup components. Although the initial version useswindow.location
, the SMash APIs are independent of any particular implementation approach and will still work if/when browsers add native support for secure cross-frame messaging.
You can find more technical information about SMash in the following IBM whitepaper - "SMash: Secure Component Model for Cross-Domain Mashups on Unmodified Browsers"
Smash is offered for free through the OpenAjax web site.