me

A Declaration of Independence from Tyrannical Web Services

Posted on 9/29/2013

US Declaration of Independence When in the course of human events it becomes necessary for a HTML-based app development team to dissolve the technical bands (XHR) which have connected them with a web service (due to such security concerns as HttpOnly cookies) and to assume among the powers of the earth, the separate and equal station (native web libraries) to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of the web development community requires that we can still run and debug our application in a browser.

We hold these truths to be self-evident,

  • that all web developers are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are an internet connection, code editors, XHR, Fiddler, coffee, and the pursuit of engineering excellence.
  • that HTML is increasingly becoming an architecture that allows applications to be created in a variety of platforms, not the least of these being delivered in arguably the most popular app delivery mechanisms on the planet: the app stores of the iOS and Android platform in the form of hybrid native apps.

That to secure these rights, ISPs and ISVs are instituted among Men, deriving their just powers from the consent of the developer consumer in the free market, That whenever any Form of web service becomes destructive of these ends, it is the Right of the developer to alter or to abolish it, and to institute a layer of abstraction, laying its foundation on such principles and organizing its capabilities in such form, as to them shall seem most likely to re-establish XHR to its rightful place as a testing harness for all HTML-based application architectures.

Prudence, indeed, will dictate that web services securely established should not be changed for light and transient causes; and accordingly all experience hath shewn, that developers are more disposed to suffer, while security restrictions are sufferable, than to right themselves by abolishing the development environments to which they are provided. But when a long train of console.log() statements, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such a configuration, and to provide a platform for their application's testability.

Such has been the patient sufferance of these developers; and such is now the necessity which constrains them to alter their web service interfaces and restrictions. The history of web application security has been a longsuffering struggle of developers against hackers, resulting in reduced capabilities of JavaScript and the introduction of security sandboxes, in direct object the establishment of an absolute Tyranny over such things as simple as an HTTP header.

To prove this, let Facts be submitted to a candid development community. Some providers of web services have produced APIs which seem to ignore the fact that HTML applications can and are increasingly being created outside of a standard web browser.

  • Some web services do not support CORS, going so far as to nullify the use of XHR in some cases
  • Some web services only allow authentication through HttpOnly cookies, nullifying XHR in all cases

Nor have We been wanting in attempts at workarounds.  We created JSONP as a temporary solution. We have stood up facade web services. We have in some cases just given up on entire platforms and walked away in the shame of defeat.

We, therefore, the developers of web platform-based applications, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by Authority of the good People on our teams and on behalf of the employers, clients and customers we serve, solemnly publish and declare,

  • That security restrictions should not trump the need for a proper debugging environment.
  • That we ought to be Free to use the same tools we've grown to depend on for web applications development even though our applications may not be targeted to eventually running in a browser.
  • That the full power of debugging tools will be restored to the web developer when his or her application is being tested in a browser.
  • That XHR will be restored to its rightful place as a mechanism for interfacing with secure web services in a development environment.

And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our code, our support and our sacred Honor.

2 comments:

  1. Well spoken!
    Especially regarding testing in a browser. We are expected to have fast turnaround times as developers and superfluous security measures are usually more of a hindrance than a help. The api should have some basic security but at some point trust your devs to do their job and secure their app.

    ReplyDelete
  2. Your blog is awe-inspiring. I have found many new things. Your way of staging is also fascinating. You have elected very incredible topic. I appreciated it.
    Home Decor Tutor

    ReplyDelete