COWS Ajax - It’s about the 3rd-party apps, Stupid!

COWS Ajax recently attracted some nice attention on Slashdot with this article. Sadly it was apparent that a lot of commenters failed to grasp the potential. They did rightly call me on not adequately presenting the security concerns but also ignored what this approach can achieve. Perhaps this was my fault for giving long illustrative descriptions when I should have gone for a more sound-bite approach like "It’s about the 3rd-party apps, Stupid!"

I strongly recommend reading that article. But the summation is that Ajax must obey the browser same-origin policy meaning that a user can only communicate with your site. It's not a defect, it's a protection. COWS Ajax uses dynamic script tags to allow communication between the user, your site, and any number of 3rd party sites. The first COWS Ajax powered app is SpellingCow, that spell checks as-you-type by adding a single line to your page. It can even be run as a favelet. These things are simply not possible with XMLHttpRequest Ajax.

At this time, let’s clear up a few points that some seem to miss:

Will this save me development time?

It saves times in that you don’t need to create the app in the first place! But no, if you are using COWS Ajax to develop an app, it will not save you time if the same thing can be created with another lib like YUI. The point is that it allows you to do something that YUI cannot do! Some folks said "I like to build everything myself" which is utterly ridiculous when referring to something like a mapping program or a large database of information that is not even attainable to the developer.

Aren’t dynamic script tags old news?

Not to most developers. Let’s face it, the AJAX acronym has only been around for about 18 months and that was only AFTER Google had been using Ajax in Google Maps and GMail. It just didn’t have a name then. No one knew about all that underlying potential or how to tap into it. Then Jesse James Garrett changed that. Similarly, the dynamic script tag approach used by COWS Ajax has been possible for a long time. But certainly very few would have thought about it prior to the advent of Ajax. Once Ajax was hot, people started to look for ways around its limitations.

My research shows that around December of last year the first essays of dynamic script tags Ajax began to surface. They had very little fanfare, didn’t have real-world examples, I don’t recall there being an API being created (could be wrong about that), and just really failed to get the word out about this undiscovered power. In fact I’ve only heard of other people’s prior discovery after I had already discovered it myself! I'm just trying to get the word out. I know of no other API that encapsulates cross-domain Ajax with dynamic script tags.

The real debate

Both the true power and the true debate rests in making 3rd party apps directly accessible. The downside is that you could be opening the door to some very nasty hacks. The upside is that you could be tapping into some very powerful apps that simply are not feasible to be recreated by each individual developer. Though there are concerns, it should not be dismissed out-of-hand. The key question is "Who do you trust?"

With anything on the net, you should only be running code from a trusted source. All sorts of nasty things can happen just by visiting a scammers website (XSS+phishing combo attacks and such). Obviously COWS Ajax introduces another layer of concern, but it can be mitigated by running tools/apps from trusted sources only. If someone has a vested interest in offering a tool, then that should reduce the odds of a scam. There's a wealth to be gained from 3rd parties... just be smart about which one you bet on ;-)

Should you use code from Osama’s Death-to-America Phishing Emporium? I’d suggest "no". However, people install the dynamically created javascript for Google Adsense and Google Analytics all the time for a reason. Your browser can't protect you if Google changes their motto from "Do no evil." to "Sometimes evil is okay". But it's reasonable to assume Google will not do this. You simply have to weigh the value of the app and the reputation of its author against what security issues you are opening up.

As a developer, why would I use COWS Ajax?

If you simply want to ping back to your server’s database to make your autosuggest dropdown work, then use Ajax, not COWS Ajax. But say if you have a unique resource like a large database, or an idea for a uniquely interactive tool then you can enlist COWS Ajax to get it out there. A large percentage of folks that run websites do not have an intimate knowledge of the web apps they are running like blogs, forums, bug trackers, etc. Getting them to make modifications to the software can be a major undertaking of file editing and database updates. It can all lead to a support nightmare. Most folks can handle inserting one-line of code into their app and that’s all that’s needed to harness the power of COWS Ajax. But most importantly, it is unlocking resources that would otherwise be unavailable.

What kinds of things are possible?

In the previously mentioned article, I give the example of the US Postal Service creating an app to do zip code lookups. Jokes aside, the USPS (or FedEx or UPS) is a relatively trusted source. Adding this kind of power to your site in return for displaying their logo seems like a pretty good deal especially since it’s coming from a trusted player.

SpellingCow is another example. Here we have a useful application with an obvious business model. The source definitely doesn’t have the same trust and accountability level as a major corporation or government entity, but they’ve clearly been around for awhile, have a legit business model in place, and the app has a lot to offer.

Hypothetically speaking, imagine clicking around a Yahoo Map and having the coordinates of each click being sent back through the user to the app on your website. There’s a lot that can be done with this. Imagine having a widget from flickr you put on your webpage. You could harness the power of flickr and still pipe all the user interactions back to your application to provide a very rich user experience. Likewise you could tap into the resources of eBay, Amazon, Wikipedia, or some yet to be invented database or repository. Instead of having an autosuggest form that ties into your database, it could instead be pulling directly from the Library of Congress. Established players like Yahoo and Google have a tremendous amount of potential.

Conclusion

Yes, there are security concerns in that you have to determine if you can trust the 3rd party. As a 3rd party developer, you'd have to build up trust. However the potential here is great since a trusted source with a valuable resource can have some amazing things to offer and create a new breed of interactive web tools.

Posted 2006-09-08