Well it is finally here… CFinNC kicks off on the campus of NC State, Raleigh NC, this weekend. If you are a Flex and/or Coldfusion developer then this conference is for you. Best part, it’s absolutely free and the presenters are top notch. Corefield, Labriola, Tucker, Kotek, Pomilio, etc…
Yeah, I just gave myself a shameless plug. But what the heck, why not. I will be giving two presentations on Saturday. The first is at 2pm on ‘Flex and Javascript’ and another one covering ‘Flex, Xhtml and CSS.’ So check out the conference site at www.cfinnc.com and remember it’s free.
A friend recently passed a long an article found on slashdot regarding XSS, and for more information I visited the Mozilla Blog that discusses this concept in greater detail. In an effort to save time I will summarize the articles as this, you will not be able to use in-line javascript, inline event handlers, or load javascript from unapproved domains. Basically, you will need to have all your javascript loaded in external js files, and then create a policy that allows the js to be loaded by a domain. Now after reading these articles, and mulling the concept over for a few minutes, a few things came to mind.
The amount of legacy code that produces inline javascript, or inline event handlers, etc..
The amount of time to refactor this code, and I am referring to enterprise applications not your Mom’s blog.
A way to move developers towards unobtrusive javascript, i.e. adding event handlers through script and not putting them directly into the html markup. This is a positive as markup is markup.
With this approach would the need for Javascript micro-architectures arise? Think PureMVC and Cairongorm for Flex. After all we are already using javascript application frameworks, shouldn’t we have some architectural frameworks for html/css/javascript clients?
Overall I am not to0 concerned with the implications of the concept presented by Mozilla. I feel that in the end it will make developers realize that there are some fundamental shifts needed in the client side development arena that go beyond creating the next cool javascript widget or library.
XSS is a real threat and by attempting to solve this issue we may all have to create a better architecture for our clients.