Big setback for Ajax?
November 6, 2006
I’ve just spotted this article on The Register which describes a critical security flaw on all versions of Windows apart from Windows 2003. Secunia list this as an Extremely Critical vulnerability and note that it is being actively exploited by hackers. Microsoft have posted this advisory notice about it and one of the recommend workarounds is to disable the affected ActiveX control.
That control, it seems, is in the XMLHTTP 4.0 ActiveX control. Sound familiar? It’s the control which provides XMLHTTPRequest in IE. Unless I’m missing something, disabling it would mean disabling Ajax behavior.
Normally, a serious flaw like this in IE, common as they are, would have the ‘other browser users’ making the usual noises about how insecure IE is and everyone should switch to <insert your favourite browser here>, few people would actually change and life would go on as usual.
The impact of this on Ajax applications, however, could be quite disastrous if the result is that a very large percentage of IE users turn off the XMLHTTP control in response to this alert. All of a sudden, Ajax has become dangerous and that is a big setback for all of us, IE users or not, since the benefit of Ajax really comes from widespread adoption and acceptance.
Well, XMLHTTPRequest is just one of many transport methods for AJAX - the comprehensive (but somewhat cumbersome to read) list of alternatives may be found at http://www.ashleyit.com/ajax/AjaxExperience.htm.
Of all those, IFRAME is the most safe and stable - to quote the same author, “JSRS and RSLite have worked consistently and predictably across a large number of browsers for 5 years and more without modification. I only changed my Blogchat app to use XMLHttpRequest recently (for no really good reason - it’s been unchanged since 2002) and the first thing that happened was a huge debugging session to figure out a really wonky deep IE7 issue.” http://www.ashleyit.com/blogs/brentashley/2006/09/25/simplicity-begets-stability/
Comment by Artem Khodush — November 10, 2006 @ 5:34 pm
There may be alternatives, but I suspect that the huge majority of Ajax apps and frameworks are coded to use XMLHTTPRequest so the point still stands that if large numbers of IE users switch off the ActiveX component then a large chunk of the ajax apps out there will stop working.
Thanks for the references. I’ll read those with interest.
Comment by Doug Clinton — November 10, 2006 @ 6:27 pm