Details

Ondrej Zara

Subscribe

Tag Cloud

Post Categories

Recent Articles

Display Settings

articles per page.
order.

Translate
Showing posts in all categories RefreshRefresh
OAT's versatility
If you haven't done already, visit the OAT Gallery - an OAT-based personal photogallery solution. I created this in my free time with goals different from any other OAT-based projects: no database, php-based, non-standard original layout & look. My sample installation is here.

As one can see, only few parts of OAT are actually used: only the OAT.AJAX library and Timeline widget. This is a nice demonstration of how multi-purpose and versatile OAT is.
Tags:
Find related stories via Technoratirelated Post to del.icio.usbookmark it! submit digg.comdigg it! post redditreddit!
# PermaLink Comments [0]
05/04/2007 02:54 GMT
Data access: compare with IBM
IBM has recently release their own JS-based DB connectivity API. Unfortunately, they are quite restricted in terms of DB choice and Data formats selection. Let me give you a quick comparison of OAT's Data access layer with IBM Database Connectivity for JavaScript:

 Feature
  OAT - data access layer
  IBM Database Connectivity for JS
 Data sources
  SQL, RDF, XML, Web Services
  SQL
 Platform  Independent (Client and Server)
  Windows XP* (Client and Server)
 Application server
  Any HTTP (WebDAV preferred)
  PHP 5 with PDO extension
 SQL databases
  ODBC, JDBC, OLEDB, ADO.NET, Virtuoso
  IBM DB2 

*Windows XP is mentioned in the Requierements page. However, one may safely assume that JS code (Client) will run on any plaform. Similarly, it is mentioned that other DB/OS combo might work by using other, PDO-compliant server.
Tags:
Find related stories via Technoratirelated Post to del.icio.usbookmark it! submit digg.comdigg it! post redditreddit!
# PermaLink Comments [0] TrackBack [3]
04/20/2007 02:22 GMT Modified: 05/27/2007 19:06 GMT
New script file: append or write?
Following my last post about OAT's dynamic loading, I have to mention how is the script inclusion actually implemented. The task is easy: add a new script to already loaded HTML document. You have two basic options:
  1. document.getElementsByTagName("head")[0].appendChild()
  2. document.write()
OAT uses number one. Not only it is more aesthetic and native DOM approach, but it also works. Compare with Google Maps API or Yahoo Maps API: I created these two demopages (google, yahoo) which show how document.write() puts Firefox into endless loop. No, thanks. The same applies to Microsoft's Virtual Earth. The only correctly implemented mapping engine is OpenLayers.

Remark: of course, when used in classical way (in document's head during page load), these APIs work fine. I am talking about non-standard, delayed, inclusion.

Now one can ask why document.write() applied to loaded page freezes Firefox? Easily! First of all, this resets contents of whole page (so it gets blank); second, there is no document.close(), so page remains opened for writing forever. Pretty ugly stuff.

For your information, I have notified both Google and Yahoo developers about this, multiple times. Noone has ever bothered to respond!

Tags:
Find related stories via Technoratirelated Post to del.icio.usbookmark it! submit digg.comdigg it! post redditreddit!
# PermaLink Comments [0]
04/11/2007 01:48 GMT
Toolkit size and dynamic loading

Let's have a quick look at OAT's size. The core set of JS files (excluding documentation, images, styles and bundled applications) has over 1.6MBytes (89 files total with build 20070406). Now that is some amount of data, I can almost hear people whispering "I am not going to include such big framework into my tiny application; my users are not sitting at 10+Mbit lines!" Well, this is completely misleading thinking, as you will soon see.

OAT uses dynamic loading of libraries. So, in real life, the only file you *have* to include is loader.js. This one contains basic shared code and supplemental routines. Its size is cca 30kbytes (compare with prototype.js, weighing over 70kbytes). You can then specify which features you would like to use; OAT will create a dependency chain and include all needed files. Watch: 

<script type="text/javascript">
var featureList = ["grid","ajax2"];
</script>
<script type="text/javascript" src="oat/loader.js"></script>

This is a typical OAT setup. User wants to have Ajax functionality and Grid widget; the only manually included file is still loader.js.

Now you may be wondering "What if I decide to include additional features *after* the page was loaded?" No problem for OAT, as you can see: 

var callback = function(){ alert("Pivot component is loaded and ready!"); }
OAT.Loader.loadFeatures("pivot",callback);
Find related stories via Technoratirelated Post to del.icio.usbookmark it! submit digg.comdigg it! post redditreddit!
# PermaLink Comments [0] TrackBack [10]
04/07/2007 03:04 GMT Modified: 05/26/2007 20:31 GMT
OAT and JS Hijacking
There has been some recent buzz regarding security issues of Web 2.0 sites. I decided to thoroughly study and analyze how this works, manifests and influences JS toolkits.

The best approach here is to study whitepaper located at  http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf. One can find a typical attack scenario, some defense suggestions and security considerations. While the paper is (in my opinion) oversized, telling rather small amount of facts on large amount of pages, it contains some interesting information. Let me share how all this relates to OAT.

First of all, I must conclude that none of OAT-based apps is vulnerable to mentioned attacks, for two reasons:
  1. attacks are only appliable in JSON documents, fetched via GET method. Our OAT apps use XML format, requested with POST (via XML/A - SOAP).
  2. attacks are only appliable when security tokens (i.e. user name, password) are passed via browser cookie. This is not our case, since we pass these in POST request's body.
However, we might take into consideration the fact that OAT can be used for building different applications. So I added some low-level support for security countermeasures mentioned in the PDF document. Specifically (as a client-side only toolkit), the following two methods:

  a) cookie-based secret, passed as URL parameter in GET requests. So every OAT.AJAX.GET invocation will
  • set a cookie called 'oatSecurityCookie' to some random value
  • add 'oatSecurityCookie=xxx' to URL string, where xxx equals to the random value mentioned above. 
  b) enhanced JSON parser with smarter text analysis, effectively filtering out
  • comments (at the beginning and end of JSONified text)
  • the 'while(1);' trap, situated at the beginning of received text
Both methods are now mentioned in the OAT documentation. Of course, applying OAT eqipped with these countermeasures doesn't make (yet) your app secure: one must explicitely use one (or both) methods on server side, to complement OAT's security features.

To sum this up - OAT is now providing a maximum support for securing GETting JSONified data. It is up to user whether he wants to take advantage of this. We are - as (nearly) always - ready :)

Tags: | | |
Find related stories via Technoratirelated Post to del.icio.usbookmark it! submit digg.comdigg it! post redditreddit!
# PermaLink Comments [0] TrackBack [24]
04/04/2007 04:06 GMT Modified: 05/27/2007 18:43 GMT
         
Powered by OpenLink Virtuoso Universal Server
Running on Linux platform