?
Solved

Discussion: Ajax and privacy

Posted on 2006-05-16
5
Medium Priority
?
642 Views
Last Modified: 2013-11-19
Hi Experts,

Currently we see the implementations of AJAX to become more popular and popping up everywhere.
One of the things - i personally find somewhat useless btw - is to use AJAX to run validation on form fields.
Implementing auto-completion on form fields sounds sensible, but using AJAX to validate emailaddresses seems silly and waste of bandwidth. This however is not my point.

The thing I am wondering about is whether or not privacy might become an issue, in cases like above forms.
In essence the AJAX forms submit personal details to servers, before people themself "give consent" by pressing a submit-button. Although most of the time AJAX will be implemented without any malicious intends, there will always be those sites that use the technology in other ways. From webbrowser/implementation point of view it is quite hard (if not impossible) to determine wether or not a AJAX implementation is transferring search terms, or emailaddresses, creditcard numbers and other personal details.

My question therefor is: Is there a change that, in the forseeable future, AJAX can be banned/limited by because of privacy issues involved.
Also, which limitation should we be anticipating for? (Ie, can AJAX be limited at all, or is it a all-or-nothing kind of situation?)

-r-
0
Comment
Question by:Roonaan
4 Comments
 
LVL 26

Assisted Solution

by:Eddie Shipman
Eddie Shipman earned 600 total points
ID: 16690963
Sure, AJAX can be defeated ENTIRELY by disabling Javascript.
I don't think anyone has even thgought of that type of issue but
it certainly is valid. I'd hate to navigate to a site and have it
send my CC info via AJAX in an onBlur event.
0
 
LVL 5

Accepted Solution

by:
wranlon earned 1000 total points
ID: 16691900
First, I think it important to identify the current XMLHTTPRequest limitations.  XMLHTTPRequest and Microsoft's XMLHTTP have been restricted to the domain from which the Web page is hosted (I am not aware of any direct work-arounds).  Mozilla's implementation restricts this to the same port, where in the past Microsoft's ActiveX object could cross ports.

Second, consider the context of the private information: an ostensibly secure Web page.  Communication between client and server over HTTPS is encrypted, so even if the XML request could cross domains, the servers serving those third-party domain would have to be enrolled with the same certificate.

Third, consider the context of making an XML request over HTTP/S: someone who implements AJAX in an insecure manner could very well do the same thing with any other technology.  There is a certain degree of trust that must exist between end-user and the Web site requesting the information.  You may not balk at providing your credit card number to an experts-exchange.com membership, but you might think twice about doing the same on a Web site selling a more nefarious product or service.  AJAX is merely a tool than can be used or abused in the same way a generic HTML form could be abused.  In your example you have AJAX communicating private information without customer consent, and the same could be peformed by submitting a form nestled within a hidden IFRAME, also without customer consent.

I don't think AJAX in general, and XML HTTP Requests in particular, are going to need to be changed to accomodate your concerns.  However, I think we will see (if we haven't already) AJAX design patterns and security considerations that establish guidelines for how AJAX should be used to improve customer experience without violating privacy policies, or agreements or certifications with financial institutions.
0
 
LVL 6

Assisted Solution

by:Samer Chidiac
Samer Chidiac earned 400 total points
ID: 16691951
That's a Very interesing Point you're addressing Roonaan. but to tell you the truth Ajax / atlas is the Next Best thing in Web Developement .. so i'm sure there will be ways to get around with this problem. pretty much as Flash animations in the New Patch of Security patch ... you will need an extra click to activate the object ;)

Cheers,
SC

---------------------------------------
Samer Chidiac
Microsoft MVP - ASP/ASP.net
0
 
LVL 49

Author Comment

by:Roonaan
ID: 16939631
>I don't think AJAX in general, and XML HTTP Requests in particular, are going to need to be changed to accomodate your concerns.  However, I think we will see (if we haven't already) AJAX design patterns and security considerations that establish guidelines for how AJAX should be used to improve customer experience without violating privacy policies, or agreements or certifications with financial institutions.

I totally agree that probably you cannot realy change the implementation of AJAX and only can create some sort of netiquette if there isn't any (that is what you are saying, isn't it). However there are some situations which are just on the borders of invading privacy. This border however is undefined, wether you would use AJAX or AJAI (asynchroneous javascript and iframe's :D, AJAF ... and flash, AJARI (and reloading images) or any other technology to communicate with servers without people know.

A collegue of mine came more or less to this conclusion: In this time of phishing people should be just careful with entering their details on any form on any website, whether it uses ajax or not. The people who's details are going to be taken without consent are probably also the ones that click on any link withit any emails.
Personally I find this somewhat harsh and pushing too much towards people own responsibility. Although in essence he is of course right.

The question then mainly is: what is and isn't allowed. There are no real definitions here I guess.

-r-
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses
Course of the Month14 days, 2 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question