OpenAjax to focus on security, complexity

IBM, alliance wants to make mashups safer, easier to develop

Sometimes it’s all in the packaging. Take McDonald’s “Happy Meals,” for example. You’ve got a burger, fries, and a drink. But wrap it in kid-friendly packaging, add a cheap plastic toy, and voilà! You’ve got a whole new product line. In the application development world, much the same thing has happened in recent months, as a grab bag of Web development technologies such as JavaScript, XML, and some tried-and-true presentation technologies such as HTML and CSS were rebranded AJAX (Asynchronous JavaScript and XML).

Nothing really changed, but the new name gave developers and those of us who write about technology something to wrap our brain around that was more compelling than just saying, “You can do cool new stuff developing Web-based clients using JavaScript and XML.”

AJAX is recognized as the glue that holds together cool new services such as Google Maps and Flickr, but there’s still a lot of confusion about what is the best way to develop new applications using AJAX, and how major technology vendors, including Google and Microsoft, plan to support it in their products. To get to the bottom of those questions and others, InfoWorld Editor at Large Paul Krill sat down with David Boloker, chairman of the OpenAjax Alliance, at the recent AJAXWorld Conference in Santa Clara, Calif., to talk about these issues and others.

InfoWorld: What’s the attraction of AJAX?

AJAX enables you, in a Web browser, to actually have some of the same qualities of an interaction that you used to have only in a fat-client setting.

David Boloker:

IW: How does it do that?

DB: AJAX is actually a set of standards that form a programming model, and those standards start off with DHTML and JavaScript and XML, and there’s cascading style sheets, there’s Web Services, there’s all of these things that are falling into this. Each and every one is a standard. And the use of them all together creates a toolkit. Today there’s probably 200-some-odd toolkits between closed source and open source, and each of the toolkits does things very differently.

IW: What about the issues of security around AJAX? What are you doing about that?

DB: Security around AJAX is actually security around the Web. So there are many sets of issues here, and one of the things which we’re actually going to cover inside of OpenAjax is a whole discussion on security. And one of the topics is not only from a Web standpoint of cross-app scripting, which has been a problem in the Web for many, many years, but this whole concept of when you’re doing mashups. If you’re doing mashups all within your establishment or customer shop or you have trusted parties, mashups are secure. It’s when I do insecure mashups between myself and someone who I don’t really know, that other person’s JavaScript could be misformed or try to take control of my machine. We need to do some technology work between ourselves, the companies, as well as maybe even in the W3C to look at, “How do I basically bring an access list to give someone approval to use the mashup or not to use the mashup?”

IW: So what are you going to do to address that problem?

DB: Well, the first thing we started doing is we’re attacking the problem as you said, not one at a time. We’re doing it on multiple fronts. The first thing was, “How do we basically build AJAX and how do we debug AJAX?” And, “How do we see what’s going from the client side of this to the server?” The second side of this is we needed to get the knowledge out about, “What are the issues?” The third side of this is a document that people [would] write to give to AJAX programmers. And then the fourth thing is you look for the technology side of it. “How can we basically start securing the technology?” And that work is under way right now.

IW: Has Microsoft made any commitments to joining OpenAjax at this point?

DB: None. They’re thinking about it at this point.

IW: Are there any other major companies on the sidelines?

DB: Well there’s plenty of people that are in discussions with us, and those people in discussions with us are folks like Apple. … The other companies are mostly in Asia, which we’re actually making overtures to, as well as more open source projects.