Cross-Domain Ajax Insecurity
- An ode to desktop app experiences
- Google AJAX Feed API
- Hitting the bars: Blog and News bars
- Current Concerns with Ajax
- Thoughts on the Open Ajax Alliance
- Google Apps - Premier Edition
- Adobe asks Ajaxians to beta test Apollo
- OAT: OpenAjax Alliance Compliant Toolkit
- Microsoft announces the ASP.NET Ajax 1.0 Release
- Jakob Nielsen on intranets and hype
- Apollo is seriously cool
- Free Ajax Ringtone Maker
- Using CNAMES to get around browser connection limits
- OpenKM: Ajax Document Management System
- Ajax Cookbook: Helpful JavaScript tips
- Testable Ajax Seminar
- SSLBridge: Ajax Samba Client
- JSONRequest Proposal
- Practical Design in Ajax by Sarah Nelson and David Verba
- Clorox - Shared Memory Abstraction for AJAX Applications
- Tracking Ajax Requests in Analytics
- The State Of Web Development - Ajax set to surpass Flash in ‘07
- Dynamic Graphics in the Browser
- The Dangers of Cross-Domain Ajax with Flash
- COMET with PHP
- Dojo Spreadsheet Widget
- Ajaxium 2.0: ASP.NET Ajax Container
- Top 8 Ajax evaluation criteria
- MS Live.com: Ajax Image Search
- Eliminating async Javascript callbacks by preprocessing
- Ajax-based PHP Grid Acquired, Soon to Open Source
- Ajax IE Caching Issue
- MooTools Released
- AJAX-based One-Page Checkout: Video
- Why Ajax?
- Bridging Java Swing with Ajax
- Google Image Labeler: Collaborative Tagging Game
- Geek in the Park
- TechCrunch UK
- The Future of Netvibes
- Profiling and Optimising Ajax Applications
- Ajaxitagging
- Introducing LaCo (or AJAX for the non-programmer)
- Adding AJAX to a Website step by step, Part II
- Adding AJAX to a website step by step
- Too Much AJAX?
- Meebo IM Now in Netvibes
- Web 2.0 Opinions - Oh How They Differ
- Visible.net: New Web 2.0 Ecommerce Shopping Cart Company
- Apple(s), not oranges
- Top-down web product design
- jQuery Roundup: Rails, Wordpress, and new plugins
- AJAX Feed API: Blogroll and Slideshow Controls
- Realestateplus launches
- Google announces new AJAX Feed API
- Communities, the blogosphere and conduct
- Adobe’s Apollo public Alpha is out
- Sun Web Developer Pack
- GvaScript
- Ext 1.0 for jQuery Appoaches
- Yahoo! wins in mapping user experience
- Google Apps: Integrate and Extend
- Dynamic Right Click Context Menu
- PQuery - PHP and jQuery
- ClassAnim & HoverHijax: Keeping Presentation out of Your JavaScript
- Tips on working with remote teams
- It’s time for OpenID
- Automated JavaScript Vertical Flip Image Reflection
- YUI Version 2.2.0 Released
- Finally someone breaks a few DEMO bones
- SoundManager 2: A Sound API for JavaScript
- Fixing web-based products through design
- Fun with browsers: for in loop
- Zooomr Popup Icons
- JDA Emulator: Spring for JavaScript
- MkeMne:). Make Money.
- PHP for Microsoft Ajax Library
- WHATWG Web Forms 2.0 Repetition Model Implementation
- Wikipedia is right about nofollow
- iPhone, on the thin line between love and hate
- O bubble, where art thou?
- ExpressionEngine Ajax Resources
- Predictions: Ajax in 2007
- Porting Prototype Enumerable functions to Mootools Array objects
- GWT Compilation Details
- Backbutton Overloading
- jQuery updates: 1.0.4, documentation, and people
- Tweebox 1.0: Browser based choose-your-own-adventures
- Googles Rounded Corner Generator
- Bill Gates on Web Apps
- Gaming industry 2.0
- Le Web 3 fails, politicians and organization to blame
- htmlPlayground: GWT based reference guide
- Miro: light-weight JavaScript rendering engine
- Why most startups suck - on doing better through design
- DOMTool: Given HTML generate DOM methods
- Goplan updates
- Is Converging Towards the Desktop Good?
- MochiKit.Animator: New Animation in MochiKit
- DOM events in the Microsoft Ajax Library formerly known as Atlas
- Web Design is 95% Typography
- moo.fx 2.0: a whole new mooing
- Why the “online office” won’t work for now
- Projax: PHP Generators for Prototype and Script.aculo.us
- Death of the Desktop by Aza Raskin
- Google Coop: Vertical Searching
- Widgets, or the Blog as christmas tree
- Benchmark: DOM vs. innerHTML
- YUI: Setting the record on library file size
- Flapjax: Functional JavaScript
- Mootools Accordian Tutorial
- Smooth Slideshow 2.0
- Detecting IE7+ in JavaScript
- Google buys YouTube, internet wonders why
- “Don’t Waste Time” with Graphical Ajax Solutions
- SearchMash: Googles playpen
- Web 2.0 eCommerce - It's What Shoppers Want
- Yahoo! Browser-Based Authentication
- Google Reader Fresh Look
- Transcorners: Because you are obsessed with rounded corners
- bytefx: simple effects
- Lessons in JavaScript Performance Optimization
- Transparent custom corners and borders, version 2
- Transparent Messages in JavaScript
- Full RSS feeds - I was serious the last time, too.
- Watching Your Words
- 2020 Internet Vision
- Behr: Rich Color Choosing
- Intra-iframe Message Passing
- Man Bites Mainstream Media
- OPML Icon Project
- Writely Getting Tightly
- More Lists; Less Thinking
- AJAX MVC (so to speak)
- Launching web-applications quietly
- Advertising Beyond the Web: Heavyhitters take to TV
- NewsGator Desktop Sync for IE7 and Vista
- Objectifying JavaScript
- The beauty in (user) experience
- Microsoft JavaScript Perf. Tips
- "Atlas" 1.0 Naming and Roadmap
- JavaScript Closures for Dummies
- Dramatically improved IE7 JavaScript performance
- Scope in Javascript
- TIBCO GI Supports Firefox
- Web Development Tools for the Power Developer
- Stop using the “beta” label
- Goplan is on, invites are out
- Web 2.0 and the necessity of failure
- Facebook Gets Egg on its Face, Changes News Feed Feature
- ChosenVIP to Launch Exclusive Social Networking Site
- Breaking: Xanga Fined $1 Million For Violating Children’s Privacy
- vSocial Gets Funding for More Video-Sharing
- Treemo Launches - YouTube Plus Photobucket on Your Phone
- Faketown 2.0 - The Next Habbo Hotel?
- Wink 2.0 Launches, Becomes a Social Network
- Crowdstorm and Dovetail.tv Launch Today
- From Barcamp to Shift
- Rojo Acquired by SixApart
- The Facebook Backlash Begins
- Motionbox Gets Funded
- Soapbox’s Social Network For Reviews
- Apocalypse 2.0 - A New Era of Fragmentation
- YouTube IPO?
- HyperScope: From the past to the future
- Multiply to Announce Social Bookmarking Tool
- Dojo’s Deferred API
- Politicians Come To Facebook for Election 2006
- Beginning Ajax with ASP.NET
- Tagged Rolls Out New Features
- JavaScript Persistent Object Notation (JSPON)
- GWT + JSF = G4jsf
- Pageviews are Obsolete
- Blog It with WLW from Firefox
- BookMooch’s Social Network for Book Lovers
- Webshots Reloaded
- MySpace Audio Comments from MyChingo
- Hotspottin Launches Social Network For Hotspots
- More Developers Are Using AJAX in Emerging Markets Than in North America
- Kaboodle Gets Widgetized!
- Vdiddy Aggregates YouTube, Metacafe, MySpace Video
- Google Pitching Services to Small and Medium Sized Businesses
- Corporate collaboration software
- FilteringTable dojo Widget
- Windows Live Writer Plugins
- Lightbox using iFrames instead of AJAX
- Is Google Still The Ajax King?
- If blogging is a conversation
- Facebook Ads, Powered by Microsoft
- Grouper Acquired by Sony For $65 Million in Cash
- Zero Kode, Visual Designer for ZK
- Facebook Notes - Facebook Adds Blogs
- Paris Hilton Videos Now on YouTube
- Traineo Launches Social Network for Weight Loss
- CrazyEgg Launches
- AmateurIllustrator Takes on DeviantArt
- Feedpass Takes Aim at MySpace Blogs
- Univillage Launches UK Facebook
- Friendster Makes Friends with $10 Million
- Ajax Login with Acegi
- Don’t be afraid of Google
- BattleOut Puts Photos Head-to-Head
- Photobucket Raises Millions More
- Twango is YouTube for Everything
- Ask.com’s Binoculars - Help or Hinderace?
- YouTube To Host Music Videos
- Burrp Launches Social Reviews Site Today
- Takkle - Social Network For High School Sports
- BlueOrganizer - a Fresh Look, and Codes for MySpace
- Kiko for Sale on eBay For $50,000
- MySpace Video vs YouTube - Who’s Winning?
- Trailfire Launches Advanced Social Bookmarking Tool
- Windows Live Writer (Beta)
- Blogger Releases New Beta Version
- Kevo Launches - Wikipedia Meets Paris Hilton
- Interview: Google’s Bruce Johnson on the new GWT 1.1 Release
- Drawing the line on picking clients
- Unobtrusive Javascript and Ajax for Rails
- TypePad Launches TypePad Mobile
- SXSW Panel Picker
- Real Time Satellite Tracking (with Google Maps)
- Crowdstorm - Social Networking Meets Shopping
- How to Design a large AJAX Application
- RSS Etiquette
- TripHub Launches Group Travel Site
- Adoppt - Another Generic Social Network
- JavaScript Model-View-Controller with Dojo toolkit
- Cross Domain XMLHttpRequest
- CEO Blogging at WordCamp 2006
- AOL Video Is Live - and it’s BIG!
- What’s So Special About Ajax?
- What we think of Web 2.0
- 30Boxes Releases the822, a New People Search Engine
- CREAMaid One-Ups PayPerPost
- Windows Live Spaces Goes Live, Succeeds MSN Spaces
- Yahoo! yodels
- Web 2.0 desktop-style apps: Why no local drafts?
- Build an RSS Feed Reader using Ajax and PHP
- One month to Barcamp Portugal!
- PHPClasses.org Ajax Upgrade
- ClipShack Owner Gets $2M
- Look Out Dell - Sutori is Coming
- Hosting providers, meet reality check
- Eons Launches - You Have 5 Unread Death Alerts
- YouTube Now “More Popular” than MySpace
- CSS: The Tech Ajax Forgot
- Reading on a screen is a lousy experience
- WeatherBug Launches YouTube for Weather
- CNN Exchange - CNN’s Answer to YouTube
- Cooqy Brings eBay to MySpace - and Finds a Workaround to the MySpace Update?
- SingShot Launches the YouTube of Karaoke
- Creating an Ajax Login Page with Dojo/Zend Framework
- Aptana: New Web IDE in Beta
- MySpace Screws Up Again: Accounts Being Deleted?
- Is Ajax development slowing down?
- Snapvine Adds Voice Comments To MySpace
- Cross-site Ajax (from OSCON 2006)
- Ajax and the Spring Framework with TIBCO General Interface
- Cyworld US is Live
- Slate Reddit Released
- Snocap Launches Linx - Napster Founder Selling Unprotected MP3s on MySpace
- MenuTree Serves Up Take-Out 2.0
- Netscape Hacked
- YouTube Is Not For Sale
- SayNow Adds Mobile Shoutouts To MySpace Music
- Sneakerplay’s Sneaker-Based Social Network
- Nokia and Backbase cooperate on Mobile AJAX
- Goplan updates
- Mike Potter Builds a Flash-y Ajax Site
- ImageKind Launches - CafePress for Wall Art
- GPokr: Ajax Poker App
- Biggest AJAX problem
- Dabble Searches YouTube, MySpace Video, Metacafe and More
- Nextcat - MySpace For Entertainment
- Socialtext Open Launches - Commercial Open Source Wiki
- Folkd is a Half-Decent Digg Clone (Finally)
- Safari: Browser.Back + Ajax
- Technorati Turns Three, Releases Major Update
- MySpace Goes Offline
- If you can’t build a community, buy one
- Declarative Ajax
- Is AJAX Accessibility a major issue?
- Free AJAX Training Course
- Stop trying to be Myspace
- Integration of Spry and PHP/MySQL
- Ajax as a Remedy for the Cacheability-Personalization Dilemma
- J2EE and AJAX: AJAX with Servlets
- Two Key Challenges for Ajax Adoption that We Have Ignored
- Adobe Spry and PHP/MySQL
- Ajax Activity Indicators
- MODx CMS - An Ajax/PHP Content System
- Web API authentication for mashups
- Explaining AJAX
- JSON.NET
- Digg and the wisdom of crowds
- uniAjax: an ajax framework focused on browser support
- Atlas June CTP
- Barcamp Portugal, more details
- Relay: Ajax File Manager
- Dojo Available in Ning Applications
- Interview with ZK Creator Tom Yeh
- Small Business & Web 2.0 Marketing
- New eCommerce Blog: Tips & Tricks To Help Merchants Sell More
- 128 Google Developer Videos
- New YouTube API Coming Soon
- Google Buys Mashup
- Bitjuice: JavaScript Bitmap API
- Implementing a syntax-higlighting JavaScript editor in JavaScript
- fValidator: Unobtrusive javascript tool for easy handling form validation
- Event.observeMethod: More AOP for JavaScript
- Chat Infection: Embed Web Chat
- YouTube API Blog Launches
- 7 Java Resources for Mashups
- Google Developer Day
- Prototype 1.5.1 release candidate released
- The Value of Google Gadgets
- Currying in JavaScript
- New Google Notebook API
- Image Thumbnail Viewer
- Microsoft IE JavaScript Perf. Tips, Part Trois
- Dishola: Web 2.0 Restaurant Guide
- eCirkit: More social networking
- Create your own Webtop in PHP and JavaScript
- GCalendar: Accessing Google Calendar from JavaScript
- jsFlickrSlideshow: Sliding through Flickr
- TagBulb: Tag Search Simplified
- JavaScript Variable Dump in Coldfusion
- Goodbye Google SOAP API
- Phobos and Dojo
- Building a Fish Eye Menu
- Google Web Toolkit 1.3: Open Source
- tooltip.js version 0.2
- ThinWire 1.2 RC 1 Released
- MooTools for the Rest of Us
- Drawling lines in JavaScript
- Black Background Technique
- Amberjack: JavaScript Site Tour Creator
- Integrating Maps into Your Java Web Application with Google Maps and Ajax
- On clever experiences
- Google Gadgets for your site
- Graft: Making Javascript DOM a Piece of Cake
- Web 2.0 t-shirts - Web 2.0 Shopping
- UPS Begins Talks with Teamsters
- CDW, Welcome to the Fast Five
- Good Looking Deal Hunting
- Usability Report Card
- Lighter Fare: Craigslist eCommerce
- Keep Your Customers Updated with RSS Feeds
- Introducing Web 2.0 Stores (beta) - Anything Less is Just a Web Store
- Web 2.0 Success in 10 Steps
- JavaScript Throbber
- Web2.0ish Thinking for Ecommerce Merchants
- jQuery 1.0 Released
- ThisNext Launches Shopping Social Network
- Nick Lachey’s Celebrity Social Network - Flop or YFly?
- Survey of Javascript Inheritance Techniques
- JavaScript Tricks And Good Programming Style
- Fanpop Launches Social Network for Fans
- Can Your Programming Language Do This? Javascript Can.
- Del.icio.us Adds Network Badges - Now Officially a Social Network
- The Dangers of Browser Detect
- How To Load And Parse XML Data Without ActiveX
- FlickrMap V2 Released - Put Flickr Maps on Your Blog
- Web 2.0: Why Tufte is wrong
- Make your own kind of music at SingShot
- Gmail and content findability
- Hating Web 2.0: Privacy vs. Convenience
- SpyMedia 2.0 Launches - Sell Your Photos on Blogs and MySpace
- Prototypify: Running Prototype code with legacy code
- Pains of document.domain in FireFox 1.5
- Javascript Boot Camp Tutorial
- SportsMates Launches - Sports Themed MySpace
- Planning an Ajax Boot Camp
- Facebook Giving Away Free iTunes Music
- Otavo Launches - Yahoo Answers, Friendster and del.ici.ous Rolled into One
- Rediscovering Flyweight for Javascript
- Stylehive Gets Funding
- Link Thumbnail: Photo Mouse Over
- Breaking User Interfaces for Fun and Profit
- Diigo Launches, Nobody Cares
- TeamSugar Launches Social Network for Women
- Gotuit - YouTube for Premium Content?
- Advanced Box Model Testing
- XN Test: The next Unit Testing project?
- XMLHttpRequest Quirks and PHP
- CSS Browser Selector
- Google Paint
- A Java-based HTTP Proxy for Ajax
- Interview with Jakob Nielsen
- Json.NET 1.1: Converting between XML and JSON
- The Importance of Maintainable JavaScript
- AJAX pagination made simple (with Symfony)
- A Basic Approach to Server-side Data Validation with AJAX
- Go forth and API
- Tuesday Morning Roundup
- Shopify.com | Web 2.0 Ecommerce
- OPML Icon
- Echo2 Widget Panel
- Slightly ThickerBox
- Json.NET: Library to help with .NET - JS communication
- PayPerPost: Right or Wrong?
- IntelliJ IDEA Google Web Toolkit Support
- Google Checkout
- Private and Public Members in JavaScript
- JavaRef: Ajaxified JavaDoc
- Safari gets a Javascript debugger
- Speeding up Prototype’s $$ Selector
- London Tube Route Finder
- Tagging 2.0
- RSS 2.0
- Ecommerce 2.0
- Marketing 2.0
- Bookmarking 2.0
- Blogging 2.0
Chris Shiflett has posted his look today at cross-domain Ajax requests and some of the security implications that can come with it, especially in a world where more and more developers are beginning to think it's okay.
Since the birth of Ajax (the term, not the technology), there has been an increasing interest in various client-side technologies, especially JavaScript. Those who have forged ahead in an attempt to innovate new ways of applying Ajax have inevitably run into the same-domain security policy of XMLHttpRequest(). As a result, there has been an increasing demand for cross-domain Ajax, and there are several creative techniques in use today to get around the same-domain restriction (none of which I consider cross-domain Ajax).He talks about other methods that can capture the data in an Ajax request (post scanner), but notes that one of the real dangers is removing a barrier for cross-site request forgeries that most normal sites already have in place. To illustrate, he mentions an issue Digg had with a "self-digging story" a little while back. He also includes a sort of how-to on the method that they used to accomplish the task - basically a Javascript form submit on each viewing. There are checks in place for it now, but there's still the same kind of issue with cross-domain requests. Sure, you'd have to lure diggers to another page to get the key required for another digg, but since the code runs on the client, digg doesn't have much protection.
It's worth noting that XSS vulnerabilities allow malicious JavaScript to execute within your domain, thereby avoiding the same-domain restrictions. This can have catastrophic consequences. Just ask Myspace.