« Discipline | Main | Almost Famous revisited »
October 5, 2005
AJAX and privacy
While building a registration form for a client website this morning, I had a scary thought about AJAX (Asynchronous Javascript and XML) and security. AJAX allows us to to perform HTTP requests behind the scenes, so it's entirely possible to submit each field in a form as it's completed. So, after the user enters their first name and tabs or clicks into the last name field, AJAX could silently submit the entered text. Then when the user tabs to the next field, AJAX could submit the last name, etc.
Obviously, this flies in the face of user expectations of form behavior and security. I can't even remember how many times I've started to fill out a form, only to not submit it for any number of good reasons. I've actually entered my credit card number, expiration date, etc. and then chose *not* to submit the form because I realized that the site didn't have the requisite https:// or lock icon. Unless you're monitoring the headers of your browser behind the scenes, a form on a malicious website could be submitting your entries as you go using AJAX. Then, if you decide *not* to submit the form, they at least have all of your information up to the point at which you decided to stop filling things out.
I've been using AJAX extensively at work, and it's able to make web applications seem a whole lot more responsive. However, with mainstream acceptance of AJAX (which has actually been available without the cool acronym for years), it might be good to have a browser option to disable AJAX on secure pages, and possibly even a little toolbar icon that alerts you to the presence of asynchronous requests. Perhaps something like this already exists as an extension?
Assuming good intentions, there would be tremendous value to knowing exactly when a person decided not to submit a form. For example, if you knew that 75% of people who didn't click submit stopped at the same field, you would know that there's an obvious flaw either in design, code, or language that needs to be fixed. Of course, you could use javascript and AJAX to capture this information without actually submitting the content of the form, just the users progress through the form. Regardless, I think there are some definite ethical lines that shouldn't be crossed. Your thoughts?
Posted by mark at October 5, 2005 11:55 AM Subscribe (FeedBurner)
Comments
good thinking, master veerman! in this transitional period as more and more web apps start acting like deskptop apps, i think more and more of these types of issues - from serious to benign - will pop up.
perhaps, as it relates to online forms, ajax should not be used for data submission, but for interaction scripting only. like if you choose one thing, something else on the page changes as a result...
Posted by: mikey at October 5, 2005 1:35 PM
I believe that I've actually experienced the phenomenon you described. I don't recall which site it was that did this, but I was toying with the idea of signing up for an online service of some sort. I had partially completed the form and decided not to sign-up - so no form submission.
It was later that day or the day following when I received an email referencing my name and questioning my membership decision.
If this is something that is employed on a site, commercial or otherwise, it should be mandatory that the site declare that this method is in use. /my_2_cents
Posted by: jay at October 6, 2005 6:28 PM
Disabling AJAX is possible, you know...just turn off javascript support in your favorite browser :)
You'd miss out on various types of js functionality - but no well-designed webpage should require javascript in order to perform critical actions, IMO...
On the concept of using an Extension - it seems like it should be simple to write one that simply scans through any JS code for XMLHttpRequest calls and disables them somehow.
But in lieu of that, it might be possible to use the GreaseMonkey extension [http://greasemonkey.mozdev.org/] to do what you're after?
Or we could always plead with the guy who wrote the Web Developer extension to add in an AJAX blocker to his blessed tool :P
Posted by: Nathan at October 7, 2005 9:32 PM