[OpenAjaxSecurity] Fw: [OpenAjaxCommunicationsHub] SMash source code contribution

Frederik De Keukelaere EB41704 at jp.ibm.com
Thu Sep 6 07:07:43 PDT 2007


Hi all,

Please find below the recent discussion between Dipesh and me on the 
recent SMash contribution. Since we thought this discussion might be of 
interest to a broader public, we moved the discussion to the mailing list. 
Feel free to join and provide your thoughts and suggestions.

Kind regards,

Frederik
---
Frederik De Keukelaere, Ph.D.
Postdoctoral Researcher
IBM Research, Tokyo Research Laboratory

----- Forwarded by Frederik De Keukelaere/Japan/Contr/IBM on 2007/09/06 
23:03 -----

"Patel, Dipesh" <Dipesh.Patel at FMR.COM> wrote on 2007/09/05 23:00:00:

> No problem.
> 
> From: Frederik De Keukelaere [mailto:EB41704 at jp.ibm.com] 
> Sent: Wednesday, September 05, 2007 12:31 AM
> To: Patel, Dipesh
> Subject: RE: [OpenAjaxCommunicationsHub] SMash source code contribution

> 
> "Patel, Dipesh" <Dipesh.Patel at FMR.COM> wrote on 2007/09/04 22:54:38:
> 
> > This conversation's very interesting. 
> 
> I think so as well. Do you mind if we move this conversation to the 
> mailing list? 
> 
> > 
> > From: Frederik De Keukelaere [mailto:EB41704 at jp.ibm.com] 
> > Sent: Sunday, September 02, 2007 9:38 PM
> > To: Patel, Dipesh
> > Subject: RE: [OpenAjaxCommunicationsHub] SMash source code 
contribution 
> > 
> > "Patel, Dipesh" <Dipesh.Patel at FMR.COM> wrote on 2007/09/03 02:24:11:
> > 
> > > Hi Frederik, 
> > > 
> > > I started to review your code.  At this point our primary concern is
> > > inter-frame communications between documents from hosts in the same 
> > > domain. 
> > 
> > Actually, if your documents are in the same domain you can just 
> > access them directly without using the fragment communication. From 
> > within the frames use parent.window to access the global environment
> > of the parent document. However, personally I think that having a 
> > pub sub layer on top of it has some benefits for the programmer and 
> > probably more important, allows the extension to a secure version of 
it. 
> > 
> > DP:  At what point does design and consistency not matter?  This is 
> > a loaded question and is very subjective, something that I struggle 
> > with all the time.  I agree with you in terms of pub/sub layer or a 
> > normalized API for eventing.  Many people are not used to the 
> > engineering aspect of Web 2.0 development therefore sees very little
> > value of reusable JavaScript APIs for Ajax based development. 
> > 
> > 
> > > I don't think we're ready to take on the security 
> > > challenges of taking on communications between docs in 
differentdomains. 
> > 
> > I think you should consider the benefits of it, if you can't trust 
> > all the documents which are communicating. Considering the huge 
> > amount of XSS attacks this is usually the case. 
> > 
> > DP:  Agree.  In the next phase of our architecture we'll have to 
> > consider this. 
> > 
> > > I'm trying to follow your code.  The top level document is 
> > > responsible for channel creation and the loading of the components 
> > > via the SEHub APIs. 
> > 
> > Correct. 
> > 
> > > And all components are hard wired through the 
> > > use of SEHubClient API. 
> > 
> > I prefer to call the linking between the ports and the channels in 
> > the top level document "wiring". In each of the components "ports" 
> > are made available through the SEHubClient API. This can be done in 
> > a dynamic way as long as the top level document can figure out the 
> > name of the port it can be wired to a channel. 
> > 
> > DP:  In my opinion there should be a single API for eventing for 
> > both tope level container as well as for each component.  Ideally 
> > I'd like to use the SEHub API and let it internally figure out 
> > whether to use SEHubClient or not.  I think you're saying the same.
> > 
> > > My question is can these components run in 
> > > a standalone mode?  In other words if I access the component URL 
> > > directly should they work? 
> > 
> > They should work (maybe they will throw some JavaScript errors but I
> > have not tested that). Of course, there will be no communication 
possible. 
> > DP:  It doesn't, I tried.  :-). 
> > 
> > > Do you have design documents that you can share?  We have an 
> > > immediate need for this type of communications and your work 
> looksvery good.
> > 
> > Thank you for your appreciation of our work. We have published a 
> > technical report discussing this work. Since the server providing 
> > this document was off-line when I wrote this mail, I attached the 
> PDF below. 
> > 
> > 
> > Let me know if you have any further questions. 
> > 
> > > -Dipesh 
> > > 
> > > 
> > > 
> > > From: Frederik De Keukelaere [mailto:EB41704 at jp.ibm.com] 
> > > Sent: Friday, August 31, 2007 11:04 PM
> > > To: Patel, Dipesh
> > > Subject: RE: [OpenAjaxCommunicationsHub] SMash source code 
contribution
> > 
> > > 
> > > Hi Dipesh Patel, 
> > > 
> > > Thank you for your interest in our work. The OpenAjax Alliance 
> > > SourceForge project is located at http://sourceforge.net/projects/
> > > openajaxallianc. You can find some info on how to connect to the SVN 
at 
> > > http://sourceforge.net/svn/?group_id=175671. The following link will
> > > take you directly to the code which is accessible on the web using a
> > > regular browser. http://openajaxallianc.svn.sourceforge.net/viewvc/
> > > openajaxallianc/hub/trunk/sandbox/smash/. 
> > > 
> > > Let me know if you have any further questions and please provide us 
> > > with your feedback on this work. 
> > > 
> > > Kind regards, 
> > > 
> > > Frederik 
> > > ---
> > > Frederik De Keukelaere, Ph.D.
> > > Postdoctoral Researcher
> > > IBM Research, Tokyo Research Laboratory
> > > 
> > > 
> > 
> > > 
> > > From: 
> > > 
> > > "Patel, Dipesh" <Dipesh.Patel at FMR.COM> 
> > > 
> > > To: 
> > > 
> > > Frederik De Keukelaere/Japan/Contr/IBM at IBMJP 
> > > 
> > > Date: 
> > > 
> > > 2007/09/01 01:52 
> > > 
> > > Subject: 
> > > 
> > > RE: [OpenAjaxCommunicationsHub] SMash source code contribution 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Hi Frederik, 
> > > 
> > > We are interested in reviewing SMash source code as such we have a 
> > > similar requirements for one of the projects.  Unfortunately I 
> > > cannot locate the information on SourceForge.  May I ask for a URL 
> > > that I can access? 
> > > 
> > > -Dipesh Patel 
> > > 
> > > From: communicationshub-bounces at openajax.org [
> > > mailto:communicationshub-bounces at openajax.org] On Behalf Of Frederik
> > > De Keukelaere
> > > Sent: Friday, August 31, 2007 4:26 AM
> > > To: security at openajax.org; communicationshub at openajax.org
> > > Subject: [OpenAjaxCommunicationsHub] SMash source code contribution
> > > 
> > > 
> > > Dear all, 
> > > 
> > > We are happy to announce that we have just completed checking in the
> > > SMash source code into the OAA SourceForge project. The code is 
> > > available in the sandbox under the directory smash (/hub/trunk/
> > > sandbox/smash). 
> > > 
> > > The code is accompanied by 3 small demo's illustrating the potential
> > > use of this library. 
> > > 
> > > Simple demo: This is basic demo illustrating the basics of cross 
> > > frame communication in 
> > > this library. The ports are statically wired to the channels in the 
> > > main application. 
> > > (includes alerts that illustrate component state transitions and 
> > > messages on channels) 
> > > smash/demos/simple/index.html 
> > > 
> > > Dynamic demo: This is a basic demo illustrating dynamic wiring of 
> > > ports and channels and the 
> > > dynamic creation and deletion of components. 
> > > (includes alerts that illustrate component state transitions and 
> > > messages on channels) 
> > > smash/demos/dynamic/index.html 
> > > 
> > > Attacks: This demo contains a list of the possible attacks against 
> > > our library (message integrity 
> > > attacks and component phishing attacks) and the different detection 
> > > and protection mechanisms 
> > > we have implemented for them. 
> > > smash/demos/attacks/index.html 
> > > 
> > > More information about SMash can be found at http://
> > > www.openajax.org/member/wiki/Mashup_Security_Approaches#SMash. 
> > > 
> > > I would like to encourage people to have a look at it and discuss 
> > > how this technology can be used to enable secure mashups for future 
> > > Hub releases. 
> > > 
> > > Kind regards, 
> > > 
> > > Frederik 
> > > on behalf of the SMash team. 
> > > 
> > > ---
> > > Frederik De Keukelaere, Ph.D.
> > > Postdoctoral Researcher
> > > IBM Research, Tokyo Research Laboratory 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070906/bd1d2d32/attachment.html 


More information about the security mailing list