[OpenAjaxSecurity] Fw: [OpenAjaxCommunicationsHub] SMash source code contribution
Frederik De Keukelaere
EB41704 at jp.ibm.com
Thu Sep 6 07:07:43 PDT 2007
Hi all,
Please find below the recent discussion between Dipesh and me on the
recent SMash contribution. Since we thought this discussion might be of
interest to a broader public, we moved the discussion to the mailing list.
Feel free to join and provide your thoughts and suggestions.
Kind regards,
Frederik
---
Frederik De Keukelaere, Ph.D.
Postdoctoral Researcher
IBM Research, Tokyo Research Laboratory
----- Forwarded by Frederik De Keukelaere/Japan/Contr/IBM on 2007/09/06
23:03 -----
"Patel, Dipesh" <Dipesh.Patel at FMR.COM> wrote on 2007/09/05 23:00:00:
> No problem.
>
> From: Frederik De Keukelaere [mailto:EB41704 at jp.ibm.com]
> Sent: Wednesday, September 05, 2007 12:31 AM
> To: Patel, Dipesh
> Subject: RE: [OpenAjaxCommunicationsHub] SMash source code contribution
>
> "Patel, Dipesh" <Dipesh.Patel at FMR.COM> wrote on 2007/09/04 22:54:38:
>
> > This conversation's very interesting.
>
> I think so as well. Do you mind if we move this conversation to the
> mailing list?
>
> >
> > From: Frederik De Keukelaere [mailto:EB41704 at jp.ibm.com]
> > Sent: Sunday, September 02, 2007 9:38 PM
> > To: Patel, Dipesh
> > Subject: RE: [OpenAjaxCommunicationsHub] SMash source code
contribution
> >
> > "Patel, Dipesh" <Dipesh.Patel at FMR.COM> wrote on 2007/09/03 02:24:11:
> >
> > > Hi Frederik,
> > >
> > > I started to review your code. At this point our primary concern is
> > > inter-frame communications between documents from hosts in the same
> > > domain.
> >
> > Actually, if your documents are in the same domain you can just
> > access them directly without using the fragment communication. From
> > within the frames use parent.window to access the global environment
> > of the parent document. However, personally I think that having a
> > pub sub layer on top of it has some benefits for the programmer and
> > probably more important, allows the extension to a secure version of
it.
> >
> > DP: At what point does design and consistency not matter? This is
> > a loaded question and is very subjective, something that I struggle
> > with all the time. I agree with you in terms of pub/sub layer or a
> > normalized API for eventing. Many people are not used to the
> > engineering aspect of Web 2.0 development therefore sees very little
> > value of reusable JavaScript APIs for Ajax based development.
> >
> >
> > > I don't think we're ready to take on the security
> > > challenges of taking on communications between docs in
differentdomains.
> >
> > I think you should consider the benefits of it, if you can't trust
> > all the documents which are communicating. Considering the huge
> > amount of XSS attacks this is usually the case.
> >
> > DP: Agree. In the next phase of our architecture we'll have to
> > consider this.
> >
> > > I'm trying to follow your code. The top level document is
> > > responsible for channel creation and the loading of the components
> > > via the SEHub APIs.
> >
> > Correct.
> >
> > > And all components are hard wired through the
> > > use of SEHubClient API.
> >
> > I prefer to call the linking between the ports and the channels in
> > the top level document "wiring". In each of the components "ports"
> > are made available through the SEHubClient API. This can be done in
> > a dynamic way as long as the top level document can figure out the
> > name of the port it can be wired to a channel.
> >
> > DP: In my opinion there should be a single API for eventing for
> > both tope level container as well as for each component. Ideally
> > I'd like to use the SEHub API and let it internally figure out
> > whether to use SEHubClient or not. I think you're saying the same.
> >
> > > My question is can these components run in
> > > a standalone mode? In other words if I access the component URL
> > > directly should they work?
> >
> > They should work (maybe they will throw some JavaScript errors but I
> > have not tested that). Of course, there will be no communication
possible.
> > DP: It doesn't, I tried. :-).
> >
> > > Do you have design documents that you can share? We have an
> > > immediate need for this type of communications and your work
> looksvery good.
> >
> > Thank you for your appreciation of our work. We have published a
> > technical report discussing this work. Since the server providing
> > this document was off-line when I wrote this mail, I attached the
> PDF below.
> >
> >
> > Let me know if you have any further questions.
> >
> > > -Dipesh
> > >
> > >
> > >
> > > From: Frederik De Keukelaere [mailto:EB41704 at jp.ibm.com]
> > > Sent: Friday, August 31, 2007 11:04 PM
> > > To: Patel, Dipesh
> > > Subject: RE: [OpenAjaxCommunicationsHub] SMash source code
contribution
> >
> > >
> > > Hi Dipesh Patel,
> > >
> > > Thank you for your interest in our work. The OpenAjax Alliance
> > > SourceForge project is located at http://sourceforge.net/projects/
> > > openajaxallianc. You can find some info on how to connect to the SVN
at
> > > http://sourceforge.net/svn/?group_id=175671. The following link will
> > > take you directly to the code which is accessible on the web using a
> > > regular browser. http://openajaxallianc.svn.sourceforge.net/viewvc/
> > > openajaxallianc/hub/trunk/sandbox/smash/.
> > >
> > > Let me know if you have any further questions and please provide us
> > > with your feedback on this work.
> > >
> > > Kind regards,
> > >
> > > Frederik
> > > ---
> > > Frederik De Keukelaere, Ph.D.
> > > Postdoctoral Researcher
> > > IBM Research, Tokyo Research Laboratory
> > >
> > >
> >
> > >
> > > From:
> > >
> > > "Patel, Dipesh" <Dipesh.Patel at FMR.COM>
> > >
> > > To:
> > >
> > > Frederik De Keukelaere/Japan/Contr/IBM at IBMJP
> > >
> > > Date:
> > >
> > > 2007/09/01 01:52
> > >
> > > Subject:
> > >
> > > RE: [OpenAjaxCommunicationsHub] SMash source code contribution
> > >
> > >
> > >
> > >
> > >
> > > Hi Frederik,
> > >
> > > We are interested in reviewing SMash source code as such we have a
> > > similar requirements for one of the projects. Unfortunately I
> > > cannot locate the information on SourceForge. May I ask for a URL
> > > that I can access?
> > >
> > > -Dipesh Patel
> > >
> > > From: communicationshub-bounces at openajax.org [
> > > mailto:communicationshub-bounces at openajax.org] On Behalf Of Frederik
> > > De Keukelaere
> > > Sent: Friday, August 31, 2007 4:26 AM
> > > To: security at openajax.org; communicationshub at openajax.org
> > > Subject: [OpenAjaxCommunicationsHub] SMash source code contribution
> > >
> > >
> > > Dear all,
> > >
> > > We are happy to announce that we have just completed checking in the
> > > SMash source code into the OAA SourceForge project. The code is
> > > available in the sandbox under the directory smash (/hub/trunk/
> > > sandbox/smash).
> > >
> > > The code is accompanied by 3 small demo's illustrating the potential
> > > use of this library.
> > >
> > > Simple demo: This is basic demo illustrating the basics of cross
> > > frame communication in
> > > this library. The ports are statically wired to the channels in the
> > > main application.
> > > (includes alerts that illustrate component state transitions and
> > > messages on channels)
> > > smash/demos/simple/index.html
> > >
> > > Dynamic demo: This is a basic demo illustrating dynamic wiring of
> > > ports and channels and the
> > > dynamic creation and deletion of components.
> > > (includes alerts that illustrate component state transitions and
> > > messages on channels)
> > > smash/demos/dynamic/index.html
> > >
> > > Attacks: This demo contains a list of the possible attacks against
> > > our library (message integrity
> > > attacks and component phishing attacks) and the different detection
> > > and protection mechanisms
> > > we have implemented for them.
> > > smash/demos/attacks/index.html
> > >
> > > More information about SMash can be found at http://
> > > www.openajax.org/member/wiki/Mashup_Security_Approaches#SMash.
> > >
> > > I would like to encourage people to have a look at it and discuss
> > > how this technology can be used to enable secure mashups for future
> > > Hub releases.
> > >
> > > Kind regards,
> > >
> > > Frederik
> > > on behalf of the SMash team.
> > >
> > > ---
> > > Frederik De Keukelaere, Ph.D.
> > > Postdoctoral Researcher
> > > IBM Research, Tokyo Research Laboratory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070906/bd1d2d32/attachment.html
More information about the security
mailing list