Five AJAX Frameworks Reviewed 187
prostoalex writes "Dr. Dobb's Journal reviews 5 AJAX frameworks: Dojo 0.3.1, Prototype and Scriptaculous 1.4, Direct Web Reporting 1.0, Yahoo! User Interface Library 0.11.1 and Google Web Toolkit 1.0. Each framework was tested in two basic scenarios — writing a 'hub' (titled collapsible link list frequently seen on sidebars of many Web sites) and a 'tab panel' (horizontal tabbed navigation bar). During the process, Dr. Dobb's Journal reviewers noted that 'Dojo provides more features and HTML widgets than YUI and Prototype' but eventually 'settled on the Yahoo! User Interface Library.'"
Re:Just don't choose them all! (Score:3, Funny)
AJAX is the antithesis of security. (Score:1, Funny)
Level 0) Hardware: we have to make sure our computer systems themselves are secure.
Level 1) Network: we have to make sure that the physical network between our computer systems are secure.
Level 2) Operating System: the OS running on the Level 0 hardware needs to be secure.
Level 3) Operating System Userland Libraries: the userland libraries interfacing with the Level 2 OS kernel need to be secured.
Level 3) Web Server: the HTTP daemon running on top of the Level 2 OS and making use of the Level 3 libraries needs to be secure.
Level 4) Database System: the database system being accessed by the web app needs to be secured.
Level 5) Web App Back-end: the back-end web application handling the AJAX requests, and possibly interacting with the Level 4 DB system, must be secure.
Level 6) Client->Server Network: the network between the client and the web server must be secured (eg. SSL, TLS).
Level 7) Web Browser: the web browser making the AJAX requests requires security, especially in the face of JavaScripts from different sites being run concurrently.
Level 8) Web App Front-end: the JavaScript code making up the front-end of the AJAX application, and running in the client's web browser, must also be secured.
So we've got at least NINE different layers that need to be secured. Now, these layers are provided by different groups, individuals, companies, you name it. The coordination between these groups is limited. Furthermore, what constitutes a security flaw from the perspective of one layer is a normal operation from the perspective of another layer.
All in all, when we start deploying AJAX applications (or web apps in general), we end up with a massively complex layering effect that seriously impacts the security of the entire stack. It becomes very difficult for even a team of administrators, developers and security analysts to properly ensure that such a deployment is sufficiently secure.
There's only one solution: reduce the layering. Yes, that means ditching AJAX, web browser and web servers. If an application must be executed remotely, it's best to use X11, RDP, VNC, SSH or similar technology. That runs the client on the same system as the server, thus eliminating some of the layers. At least then the problem becomes more manageable, if not yet ideal.