Sometimes is painfull and others funny to look at Web Application Requeriments made across the time. While the time pass through a thin line of evolution on the flexibility on Web Based Applications, more complex are the requirements made to developers, sometimes imposible to handle and unconscious of what a Web Based Application means.

Many times we reach the point of unconscious requirements on WBAs on what is and what we can do with these applications, people that doesn’t thikn think these applications as client/server applications, where the client have only one interface to make the content dynamic, and not intended to access system specific facilities: the embeded scripting language — usually JavaScript — and some people still think that JavaScript will allow some controll over the computer, and outside of the Web Browser. Since I know that these things only happens with viruses — which affects only certain operating systems — I personally try to avoid the usage of certain operating systems and browsers.

The point on Portability

There are a lot of common examples, with the mainstream of special device handling, whereas the goal of the WBA is to handle and manage the given device. Then we get responses as "implement an ActiveX control" or "implement a Java Applet". Both answers remains under platform dependant solutions, and both require complex user interactions. First, an ActiveX control is a Micro$oft dependant solution, works only under Inernet Explorer and needs the user acceptance to certainly get access to the desired device, such as a special printer, smart card device or other kind of special device, then, the user must modify the browser policies — in this case Internet Explorer — to access the device allowing the installation of the needed ActiveX control. At the other hand, Java Applets needing access to hardware devices, must implement wrapper classes through JNI interfaces — these interfaces are written in C or C++, where both languages are completly native — and again we are on platform dependant solutions. Also, we need to modify the Java Security Policies to grant access to hardware devices, special files or other kind of system wide resources. Then I can think with strong arguments that these kind of Web Based Applications are not portable and can’t be considered as Desktop Applications, but largely used by the implementation costs.

Both solutions require the user intervention. You can’t overwrite the .java.policy created by the user and Java do not allow through the proper and protected API to modify the .java.policy file. At the other side, ActiveX controls reach the same situation, needs the user intervention to allow the Web Browser to instantiate and run these software components, you need to grant certain access to some site in your browser to allow them, but when it is a Virus or antoher another kind of Malware you get infected instead of getting your browser applying the security policies…

Also we can look at Web Designers how they are implementing portable CSS… always they need ugly hacks because most browsers don’t implement the right behavior by interpreting the CSS and many times getting CSS out of known standards.

The point Realibility

One particular case — to which a was in front off — was a managed printing through a WBA under Micro$oft Wintendo as client. I’ve made an ActiveX control that was using — not directly — the hardware driver to print a PDF file. The printing process was required as silent and without the user intervention, directly to printer. This means no prompts, no dialogs, no download window… really a trouble without an ActiveX control. Then we get a requirement of silent install for the ActiveX control, this means no user interaction installing and allowing the ActiveX control — again no prompts, no dialogs, no progress diaglos dialogs — to be installed and instantiated through the WBA in the client browser.

A Web Browser is a client, a single process and a single thread per page/site that it’s opened. Under this criteria, you can’t expect any process control or thread control under the Web Browser. Since JavaScript is a single-threaded scripting language, and you can’t create more threads than the current execution thread for the site that it’s visited by the browser, you can’t expect to control animations and wait loops while you are executing JavaScript — as result of sequential interpration interpretation of the scripts — where one of the given requirements was to animate the web page while the ActiveX control was working. The result was that the animation is freezed until the printing process was is finished. Meanwhile the JavaScript that is controlling the ActiveX component was running, the GIF animation in the web page was freezed… With a Real Desktop Application certainly we get more control over these requirements, but most of them aren’t implemented because these application means a cost that companies that don’t wan’t to pay — it’s easier to get a Good Web Developer rather than a Good Desktop/System Application developer.

By allowing ActiveX Controls or Java Applets, you are opening more posibilities to reach a malware infections.

The point on Standards

We constantly reach a common advertising behavior instead of rock solid behavior in matter of standards. All the effort that W3C makes to bring orientation on how to construct web pages can be broken by another commercial rather than real standards based proposal: "The Web [0-9]+\.[0-9]+". Where many of the proposed technologies in this pesudo-standard proposal uses most proprietary technologies, and allows web applications to implement many of the right and clear standard based behavior under proprietary technologies such as Silverlight or Flash — where the last one was now have an open specifications but without full open standard support — have an underlying lie and it’s proposed by some companies rather than known and respected institutions.

The most live example is how Web Designers deal with different behaviors on different browsers regarding the CSS features. Every browser has it’s own rendering engine, some of them with short modified engines, and every browser has it own custom styling behavior. Common behavior is limited to certain basic styling notation and elements. The main conflict on that, appear on floating divs and similar tasks, fulfilled of CSS tricks.

Another mistake is JavaScript handling. Since some highly used browsers such as Internet Explorer different ways to handle the same events and objetcs, and one clear example is how are handled AJAX requests by this browser — without the standard XMLHttpRequest object. Instead, you must use an ActiveX Control, and the same ActiveX control can have multiple versions on the same machine…

The point on Security

Many times we think that our applications are safe behind a browser, but what about malware kind of software?. You can get easily infected if you don’t have the right policies and you are doing something wrong as user, such as navigating as super user in your machine.

Some platforms, simply can’t get infected, otherwise by weak implementations, you can get infected by suppliying supplying a few clicks on some sites. If you don’t run as super user in your machine, you can get infected with malware by user specific installers, without the need to be a super user and having administrative priviledges. The malware in this case, can modify the per user — in this case the current user — specific security policies for his browser, allowing more malware to infect your computer.

What about these applications that access special devices or have access to special files, such as client certificates. Imagine a spyware specially made to handle certain company specific component. The weakness of obtaining certain keys or passwords through sniffing techniques, or keylogging and sending compressed packets UDP packets of what are you typing are some possibilities in many others.

Some browsers and platforms are a backdoor itself. Other case are signed mails, can you trust in a company — such as Google or Micro$oft — to send your personal certificate or GnuPG keys to sign your mail? Certainly is ridiculous to think in that idea, mainly if they don’t provide any kind of warranty on what your personal or private data regards, just take a good reading on the policies that provide these companies.

Realize what is a WBA

Be careful with the proposed standards, read about which protocols, formats and, in general, is conceived as Open Standards for Web Based Applications. There are a lot of materials to read, from public Open Standards to well formed books. Start with the basis, the HTTP/1.1 RFC, and finish with theorical books, mainly about usability. Building WBA professionally isn’t an easy job, and mostly require a good knowledge on the kind of software you are building. If you work on WBAs, there are a lot of must read documentation available on the Internet and — certainly — if you fall under proprietary WBA development — I mean WBA development under NOT-Open Standards — you will need to know a lot of the WBA environment…

3 Responses to “desktop != web based”

1. Leo Soto | September 24th, 2008 at 00:45
   

   Interesting points. It\’s kinda fun (and sad at the same time) to see how webapps are sometimes required to behave exactly like desktop apps, including having their privileges. Actually, I like to have more interesting and powerful web application, but I\’m really really scared about giving webapps full control over my machine. I agree that the non-sandboxed requirement should disqualify the \”web application\” approach.

   Now, a few comments: I think that IE7 doesn\’t use an ActiveX for XMLHTTPRequest. And, OTOH, IE6 was the browser that first implemented the \”AJAX\” feature set, so I wouldn\’t blame them for that. (And there is a *lot* of other things to blame them for, anyway). Re Java/JNI, I haven\’t done anything with JNI, but looks like JNA is much less clunky for interacting with C APIs. Looks quite cool if you are still on that business (and as a side note, I think it is inspired by python\’s ctypes)

2. Leo Soto | September 24th, 2008 at 00:49
   

   Interesting to see PHP/Worpress/magic_quotes stupidity in action on my post above Which remembers me that Rails people have also managed to sanitize things on the wrong level of the stack.

   Sorry for the OT, but WordPress gave me a good opportunity to rant a bit which I couldn\’t let pass

3. Leo Soto | September 24th, 2008 at 00:51
   

   Aaargh, Worpress also ate my links.

   JNA: https://jna.dev.java.net/

   ctypes: http://docs.python.org/lib/module-ctypes.html

   Explanation about Rails sanitizing things on the wrong level of the stack: http://blog.leosoto.com/2007/12/security-by-stupidity-i-rails-and.html

leave a reply