Wednesday, June 17, 2009


Every new technology brings its own mechanism to mitigate security threats. This post discusses on how silverlight deals with cross site scripting.

What is Cross Site Scripting?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

To avoid Cross-Site Scripting (XSS), Silverlight runtime enforces restrictions in the framework APIs. Any cross domain request requires that the server has explicitly granted permissions to access its resources from Silverlight client. Cross domain access means the Silverlight client is making network calls to domain which is not same as the domain from which the client itself has been downloaded. The restrictions are same as what Flash based clients also experience.
To allow flash based clients to access its resources, servers need to place a policy file at the root of the domain called crossdomain.xml and all access permission in that file.
Silverlight uses the same logic to allow the APIs to access cross domain resources. It supports flash based policy file. It also supports a file specific to Silverlight clients named as clientaccesspolicy.xml. This is also a xml based file with published format but different from flash format.Silverlight runtime first tries to download the clientaccesspolicy.xml file and if found, all access permissions are granted using this file. If this file is not available, it tries to download flash based policy file. If none is found, access is denied. These files are not downloaded in case of same domain access.

Sunday, June 7, 2009

Google Wave

What is Google Wave? It is a new communication service that Google unveiled at Google IO this week. It is a product, platform and protocol for communication and collaboration designed for today’s world. Is that too much of technical jargon…let’s make it simple…and take it in chewable bite size…

It is like reinventing email that was designed 40 years ago i.e. many years before internet, wiki, blogs, twitter, forums, discussion boards etc existed. The world has evolved, but we are still hooked to “Store-and-forward” architecture of email systems which mimics snail-mail. In spite of the technological advances, we are living in highly segmented world, with information living on islands – emails, blogs, photo, blogs, micro blogs like twitter, web collaboration, net meetings, IM and so on.

In Google Wave you create a wave (can be an email or IM conversation or a document for collaboration or to publish on a blog or just to play a game) and add people to it. Everyone on your wave can use richly formatted text, photos, gadgets, and even feeds from other sources on the web. You can insert a reply or edit the wave directly. Google Wave an HTML 5 app, built using Google Web Toolkit. It includes a rich text editor and other desktop functions like drag-and-drop. It has concurrent rich-text editing, where you see on your screen instantly what your fellow collaborators are typing in your wave. This means Google Wave integrates email, IM and collaborative document creation into a single experience. The most important feature is that you can also use “playback” to rewind the wave to see how it evolved. My elder son was very excited to see that. He said “If I am playing chess with my friends using Wave, I will be able to rewind and replay it to see every move. WoHoooooo..”

Google Wave can also be considered as a platform with a rich set of open APIs that allow developers to embed waves in other web services, and to build new extensions that work inside waves. The Google Wave protocol is designed for open federation, such that anyone’s Wave services can interoperate with each other and with the Google Wave service. To encourage adoption of the protocol, we intend to open source the code behind Google Wave.

Vic Gundotra of Microsoft fame is now leading this effort as VP engineering at Google. Lars and Jens Rasmussen (brothers) who came to Google with acquisition of “2 Tech” in 2004, have been driving this effort at Google for more than 18 months. They also have credible history and star reputation at Google as creators of Google Maps.

The underlying assumption is that a large scale disruptive innovation can dislodge the existing leaders and give an opportunity to other to take leading positions. Hence an attempt to create an online world where people can seamlessly communicate and collaborate across various information exchange scenarios including email, IM, blog, wiki and multi-lingual (including translation) . With this bold move, Google is trying to overcome the challenges of integration by hosting the conversation object on the server, allowing multiple channels of interactions and breaking many barriers in the process. The service seems to combine Gmail and Google Docs into an interesting free-form workspace that could be used to write documents collaboratively, plan events, play games or discuss recent news. Google has announced this as an open source project and is publishing all the standards at The ripples of this Google wave have potential of impacting the technology world for decades to come.

Some helpful links:
Main Site:
Federation Protocol:
Web Toolkit: