Ajax – A new aproach to web appliations?

On By westiIn Development, Security, Web dev

A lot of buzz has been generated recently by this essay by Jesse James Garrett about what he calls Ajax:

Ajax isn’t a technology. It’s really several technologies, each flourishing in its own right, coming together in powerful new ways. Ajax incorporates:

  • standards-based presentation using XHTML and CSS;
  • dynamic display and interaction using the Document Object Model;
  • data interchange and manipulation using XML and XSLT;
  • asynchronous data retrieval using XMLHttpRequest;
  • and JavaScript binding everything together.

None of this is new technology, but rather the application of existing technology to provide a much better user experience to the user of a web application. Web applications are often see as poor second cousins to desktop applications in terms of user experience because of the continual slow round tripping to the web server to progress to the next step. “Ajax” as used by sites like Google’s gmail removes this poor user experience as the data for the next page is downloaded in the background while the user reads the current page.

This is a good approach for enhancing the user experience. However, the web developer must remember that a portion of his/her audience will come in with a browser that doesn’t support JavaScript or has JavaScript disabled and a JavaScript free site must be available for the end-user to get some use out of the site. The developer must also ensure that this new “Ajax enabled” site is also fully accessible so as to cater for all types of user.

“Ajax” enabling also leads to possible security issues as the new “Ajax enabled” pages will require a number of public accessible webservices to be written, these services may already exist and be being used by the current technology, for example PHP, ASP or Java , that is generating the plain XHTML+CSS pages. At present these webservices exist in a protected network zone and so may not have been written in as secure a manner – these services will now need reviewing for security problems and also the possibility that advanced users may try and access them directly to build there own pages – it is likely that direct access to the webservices is not expected and as such it may be wise to lock them down.

Another technology which springs to mind that is missing from the “Ajax” hit list is JSON (JavaScript Object Notation) which is a technology for describing the data passed between the JavaScript code in the browser and the webservice that is called using the XMLHttpRequest object. The major benefit of using JSON as the format for the request-response exchange over this link is that at the browser end the JavaScript code can just eval() it to get the objects as the message is JavaScript.