Considerations for Secure Deployment of Rich Internet Applications (RIAs)
Rich Internet applications (RIAs) are Web-based software programs that are run by a plug-in inside a Web browser or are installed from the host Web site and run as a stand-alone program on a computer or mobile device. Microsoft Silverlight a common example of software used to create RIAs.
RIAs are well suited to e-commerce because they can provide an interactive and engaging shopping experience. Instead of viewing static images, shoppers can drag, turn, and zoom on the pictured merchandise and watch streamed video and audio about products. RIAs are small programs, and they are easily viewed through a free plug-in in most Web browsers; installed from the host Web site and run on most operating systems; or installed and run on mobile devices, such as smartphones, making RIAs very accessible to the consumer.
Microsoft Commerce Server 2009 R2 has several features to assist in supporting RIAs; these include a presentation tier Windows Communication Foundation (WCF) routing service, a Silverlight WCF client, and mitigations to security threats, such as cross-site request forgery (CSRF) and cross-site scripting (XSS).The routing service relays messages and serves as a security boundary between the RIA and the Commerce Foundation. The Commerce Foundation is the Commerce Server 2009 R2 application programming interface (API) that queries, creates, updates, or deletes commerce entities, such as products, in the Catalog, Orders, Profiles, and/or Marketing systems within Commerce Server. The routing service forwards requests from the RIA to the Commerce Foundation. The WCF routing service is a proxy that makes request calls on behalf of the RIA to the Commerce Foundation.
Exposing the routing service and the s by proxy is not without risk. E-commerce Web applications are vulnerable to all kinds of security threats. Such threats can only be mitigated with careful consideration and implementation of your design.
In This Topic
Considerations Prior to Supporting RIAs
Mitigating Cross-Site Request Forgery (CSRF) Attacks
Mitigating Cross-Site Scripting (XSS) Attacks
Reducing the Attack Surface Area