Discussion on:

Develop slick Web interfaces with Ext JS

I very much enjoy articles such as this discussing advances to "Web 2.0" presentation technologies. However, these disucssion almost always fail to address the impact on application security. Security of Web 2.0 should be as important an issue as the power or ease of the technology or tool itself.

This is discussing the framework Ext JS, not application security. Javascript frameworks are designed to make development of applications much faster by extending the native functionality of javascript and removing the constant cross-browser pains a developer runs into. Security is up to the developer, not the framework, and mostly has to be dealt with server-side anyway. I've tried a few frameworks (including YUI, not Ext though) but currently use mootools for all my needs. I prefer it because of it's weight, extensibility, and coding is more implicit (Ext is more explicit, a la C style coding). I like the overview though, hope to see some more looks into other libraries (Prototype/Scripaculous, mootools, dojo, etc).

I agree that the security is a concern, but it is exceedingly difficult to handle properly (as it is for ALL Web-based applications). The Web 2.0 stuff can, or course, use SSL to protect the connection, and either by using SSL or other mechanisms, request (not a gurantee, of course) that the browser not hold the data in temporary files or otherwise cache it. Outside of that? Session maintenance and cookies, and the usual authentication systems are all you have.

J.Ja

The provider's in terms of their IP ?

The subscriber who has to trust the the provider won't abuse the necessary privileges required for them to provide it.

The relationship itself which could be protected by the envelope of SSL.

Security in web applications is an afterthought, the internet was designed to be robust not secure. HTTP as designed to publish documents. HTML was designed to present them. This is the foundation web 2.0 is built on.

Security of web 2.0 is not an important issue, if it was it would be distributedapp 1.0.

What was important was leveraging some more bells and whistles at minimum cost and no impact on the existing infrastructure and applications.

Great Article ...

I have been dabbling with Ext JS and ColdFusion 8 a little bit and I have to admit that Ext JS is a very cool JavaScript framework ... There too is a lot of great info on Ext JS over at Rey Bango's Blog ...

Yes I agree that, Ext JS keeps its promise with an easy-to-use development model. This is proved when it took me only 1 month to learn and developed from scratch, for me to come out with my first webapps by using Ext JS.(http://mantau.klgate.com/namsys/namsys-main.html)

The learning timeframe is very short. The Ext JS community is very active, and most of my development issues resolve by browsing the Ext JS forum.

However, my opinion on security is that it should be handle by the server-side framework not client-side framework. If client-side does not to store private data in web browser cache memory and POST thru HTTPS, that should be good enough to handle the security issues.

Even easier, I believe, is Wavemaker Software's Web-Fast???: WaveMaker Visual Assembly Studio. It's at www.wavemaker.com/products.

Jim Sutter
www.peergroup.net
jimsutter@cox.net

what about xsrc and mce_src? Should examples attributes which don't validate?

This is awesome! Thanks