AJAX also reduces security and privacy for the person using the web page in the following subtle way.
In the old synchronous model, one typed information into a web form, checked it for accuracy, relevance, etc., edited it if desired, and then pressed a submit button which sent it on its way. It was almost never the case that information was transmitted prematurely (e.g. via JS 'onChange'), and if it was, it would probably be obvious.
In the new asynchronous model, information can, and presumably on occasion will, be transmitted to the web server as it is typed, with no obvious visual cue that anything is happening. This opens up a lot more possibilities for surreptitious information gathering. No longer will you be able to be decide at the last minute not to submit a form, and be sure you haven't already provided some information you'd really rather keep private. Even simple errors, like typing your business email address rather than a throwaway email address, will not necessarily be correctable before clicking submit at a web site you don't fully trust.
In other words, the more complex behavior of an asynchronous web interface can make both the client side and the server side less secure.
In the old synchronous model, one typed information into a web form, checked it for accuracy, relevance, etc., edited it if desired, and then pressed a submit button which sent it on its way. It was almost never the case that information was transmitted prematurely (e.g. via JS 'onChange'), and if it was, it would probably be obvious.
In the new asynchronous model, information can, and presumably on occasion will, be transmitted to the web server as it is typed, with no obvious visual cue that anything is happening. This opens up a lot more possibilities for surreptitious information gathering. No longer will you be able to be decide at the last minute not to submit a form, and be sure you haven't already provided some information you'd really rather keep private. Even simple errors, like typing your business email address rather than a throwaway email address, will not necessarily be correctable before clicking submit at a web site you don't fully trust.
In other words, the more complex behavior of an asynchronous web interface can make both the client side and the server side less secure.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1868/594#594