Crockford Speaks on “Fixing the Web” and Appears on Channel 9
March 24, 2008 at 12:06 pm by Eric Miraglia | In Development |
Frequent YUIBlog contributor Douglas Crockford gave a keynote at the AjaxWorld East 2008 conference in New York City last week. As ever, Douglas was pulling no punches — his title: “Can We Fix the Web?” The browser, Douglas says, was behind the times when it was introduced, and it hasn’t aged well. It wasn’t designed to do the kinds of things we’re trying to make it do; we’ve exploited most of its potential and we’re hitting a natural wall now that we’ve extracted from the browser about as much as is possible.
The browser has serious problems:
- It’s insecure: Once an attacker gets a foothold on the page, it can read the page, load additional scripts, make additional requests of the server, and send information anywhere in the world. The browser fails to prevent any of these things.
- It suffers from the Turducken problem: Turducken, popularized by NFL analyst and Hall of Fame coach John Madden, is a turkey stuffed with a duck stuffed with a chicken. The Web is like this, with CSS stuffed in JavaScript stuffed in HTML. Text that’s safe in one context may not be safe in another.
- The web standards require that these vulnerabilities be present. Douglas identifies JavaScript, DOM and cookies as being standards that lead to vulnerability. JavaScript’s global object and intrinsic insecurity are a problem; the nature of the DOM node tree, where every node can access every other node and the network, is a problem; and the ambient authority system of cookies presents a problem.
Reiterating an argument he’s made elsewhere, Douglas went on to argue that, while mashups are the most interesting development in software in 20 years, they are spectacularly insecure. Any time you have scripts from two sources on the same page, you have an insecure situation, and that is often a baseline assumption in the mashup world. (But, Douglas notes, it’s not limited to “traditional” mashups: advertising as implemented on the web is itself a mashup and is insecure.)
Douglas proposes a three-part approach to “fixing the web”:
- Subsets of JavaScript: It’s possible to create safe subsets of JavaScript by eliminating the parts of the language that are dangerous. There are a few subsetting approaches out there; Douglas’s own ADsafe is one and Caja (from Google) is another.
- Small browser improvements: Implementing solutions for cross-site data access (for mashups) — like JSONRequest — that can replace current techniques like the script tag hack and iframes.
- Massive browser improvements: Douglas suggests replacing JavaScript and the DOM and going from there — effectively building upon the ADsafe JavaScript subset using the tenets of object capability theory to create a secure toolkit for in-browser programming.
You can download Douglas’s slides here. The AjaxWorld team is pretty good about getting video up on their site, and we’ll drop a link when we see it there; in the meantime, YUI Theater has seven videos from Douglas to keep you going while you wait.
Douglas Crockford, Alex Russell and Joseph Smarr on Channel 9
Douglas was also on Microsoft’s Channel 9 last week, appearing in a session filmed at MIX08 along with Alex Russell (of Dojo and SitePen) and Joseph Smarr (of Plaxo; Joseph also appeared on YUI Theater talking about performance last year).
At MIX08, we were lucky enough to get three of the world’s top JavaScript experts to talk to us about the future of the language, the “Zen” of JavaScript, and tips and tricks on performance and management of large JavaScript projects.
Share and extend: Bookmark with Yahoo! My Web | Bookmark with del.icio.us | digg it! | reddit!
8 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Syndicate
- All Posts
- All Comments
-
All Development Posts
-
All Design Posts
-
YUI Theater Posts
-
"In the Wild" Posts
-
Performance Posts
Recent Posts
- inputEx — a YUI-based Forms Utility
- Yahoo! Juku: Calling Tomorrow’s Front-End Rock Stars
- Free Chapter from Douglas Crockford’s “JavaScript: The Good Parts”
- Writing a WYSIWYG Wiki Editor with YUI and Grails
- Unobtrusive Rollovers Using YUI
- DjangoSnippets: YUI Loader as Django Middleware
- David Cilley’s Tutorial Series on Ajax Image Sliders
- Hidden Gems in the YAHOO Object
- YUI Engineers at Web 2 Expo This Week
- Creating Component Communication Pipelines with YUI (Decoupling)
Recent Readers
Yahoo! Developer Network
Development Resources
Design Resources
Archives:
- May 2008 (4)
- April 2008 (11)
- March 2008 (7)
- February 2008 (10)
- January 2008 (6)
- December 2007 (12)
- November 2007 (6)
- October 2007 (5)
- September 2007 (8)
- August 2007 (6)
- July 2007 (3)
- June 2007 (7)
- May 2007 (12)
- April 2007 (8)
- March 2007 (7)
- February 2007 (7)
- January 2007 (8)
- December 2006 (5)
- November 2006 (6)
- October 2006 (11)
- September 2006 (4)
- August 2006 (5)
- July 2006 (2)
- June 2006 (3)
- May 2006 (7)
- April 2006 (2)
- March 2006 (1)
- February 2006 (14)
Blogroll
Other Yahoo! Blogs
- Yahoo! Developer Network Blog
- Yahoo! Flash (R) Blog
- Yahoo! Search Blog
- Yahoo! Publisher Network Blog
- Yahoo! Next Blog
- Yodel Anecdotal
- Yahoo! Music Blog
- Yahoo! Answers Blog
- Yahoo! My Web Blog
- FlickrBlog
- del.icio.us Blog
- Blog 360
- Upcoming.org News
- Yahoo! Mail Updates
- The Official Yahoo! Store Blog
- Yahoo! Groups Blog
- Yahoo! Messenger Blog
Comment Policy
We encourage comments and look forward to hearing from you. Please note that Yahoo! may, in our sole discretion, remove comments if they are off topic, inappropriate, or otherwise violate our Terms of Service.
Become a Yahoo!
Are you a talented engineer, product manager, or designer looking to immerse yourself in an innovative and fun environment? Then come find a job with us.
Meta:
Copyright © 2007 Yahoo! Inc. All rights reserved. Privacy Policy - Terms of Service
Powered by WordPress on Yahoo! Web Hosting.
I haven’t looked up Crockford’s credentials or listened to this speech, but I hope he worded what he said a bit more carefully than “The browser…was behind the times when it was introduced.” That’s a bit like saying that the Gutenburg printing press was behind the times.
Behind the times compared to other application platforms? Probably. Behind the times compared to other communications media? No. Could any other technology out there at “the times” have enabled the revolution that the web browser did? Apparently not.
Controversial statements get you attention and might just get you posted on the YUI blog, but they can also make you look a bit foolish. But I’ll assume that Crockford knows what he’s talking about, and that that was just lost in the summarization.
Comment by Josh J — March 25, 2008 #
@Josh– I agree with you (and I suspect Douglas would as well) that the browser and the web as a networked document-sharing system was brilliant and the early browsers as forgiving, flexible viewers for that content were instrumental in changing the way the world communicates. But, as you say, they were always behind the times as platforms for developing networked applications. They are arguably further behind the times now than they were in 1994. -Eric
Comment by Eric Miraglia — March 25, 2008 #
This problem of “fixing the ____” comes up so often in technology, and yet there are barely any examples of it really succeeding. It’s a provacative idea for a talk, and it’s a good rhetorical tool to get ideas going, but seriously, this ain’t never gonna happen. “Douglas suggests replacing JavaScript and the DOM and going from there…”? Yes, good: let’s do that, you stop by Redmond and talk to them, I’ll head over to Mozilla and try to meet with their top men.
I mean, it’s tough that we’ve got this weird hybridized development environment where there are security holes, leaky abstractions, and the possibility of shooting yourself in the foot at ever turn. It’s a tough world to work in. But the web browser is arguably the most successful class of software ever. As a platform for developing networked applications, it’s worked incredibly freaking well, better than any other attempt.
Comment by Thomas — March 25, 2008 #
HTML was not state of the art at its introduction as a document presentation system, as a hypertext system, or as an application delivery system. HTML was condemned by the SGML community because it lacked most of the features they felt were required for a document format. It was many years before HTML afforded control over formatting and layout. In my view, it is still inadequate. The design of HTML was not informed by the works of Engelbart and Nelson, so it lacked most of what was considered necessary for a hypertext system. The thing that HTML got right, in my view, was its simplicity. HTML’s design came much closer to the minimal ideal than did SGML or Xanadu. I think minimalism is seriously underrated.
Comment by Douglas Crockford — March 25, 2008 #
[…] of JavaScript seems to be one of his current concerns. His recent talk shows his approaches toward the security […]
Pingback by Douglas Crockford’s blog | Grayger — March 30, 2008 #
While what Douglas has said has merits, it would do well to elaborate on the solutions at a much broader level than the 3 tweaks proposed. If you rake up a topic like this, you better know where to take it to!
Comment by Desmond — April 1, 2008 #
Crockford is going to fix the web, and countless other companies are going to fix email. How about this…fix people? I don’t use my computer for anything that requires ‘real’ PII or FI. I have the unbelieveable cost of a stamp every now and then, but oh well. Yes using the web to do all things financial and shopping is a convenience, but trust me…your life will still be complete if you choose not to do so.
Comment by James Chappell — April 1, 2008 #
[…] more coverage of Crockford’s Keynote address, check out these articles: 1, […]
Pingback by Ajax World Conference - Day 2 « dambalah — April 13, 2008 #