Friday, March 26, 2010

XSS Restrictions - A barrier to UX and eloquent design

So, this is sort of a rant, but here goes. I am working on an E-Commerce punch-out application. For the uninitiated, punch-out is a form of E-commerce where by the user of a procurement system wants to shop for items found in a remote inventory management Internet site. The user initiates an action in their system that "punches-out" of their system and into a shopping experience hosted by the remote system. The user shops in the remote system and then returns their local system with the shopping cart contents, including pricing. Punch-out is based in large part of the CXML standard. It is CXML that is exchanged in these punch-out conversations between each system.

To test our new system, I wrote a small Java web app that uses AJAX to send and receive the CXML to the remote system. Since AJAX using JavaScript, I immediately ran into security issues with XSS (Cross-site-scripting). I know about XSS, but I initially ignored it because this test app is an Intranet only app running on my local Tomcat server. I was wrong to be so cavalier.

I am using IE8, and IE8 (along with other modern browsers) has seen fit to disable XSS by default. After all, XSS is a major security issue. I just don't think that it is a major security issue in my environment and I resent the fact that I can not use it. So I did some digging and it just so happens that I can disable the XSS Filter in IE8 by passing the proper HTTP response header to the web browser, from my Tomcat sever.

response.setHeader("X-XSS-Protection","0");

This code will stop IE8 from preventing the potentially malicious AJAX call and simply alert the browser user of its existence. However, if I try to use SSL then I am right back to where I started as IE8 just seems to ignore my response header in this situation. So, now my AJAX is muted.

I saw AJAX and AJAX-like technologies to be a major positivity to UX (user experience) design in modern web applications. However, unless I am satisfied to only make AJAX calls to my local server, I am doomed.

No comments:

Post a Comment