White Space & AJAX Security

Dec 14, 2009
Episode 3
This week we show you how to clean up designs using white space. We also explain why AJAX across different websites can be so tricky.

Thanks to those who make Doctype possible!

White Space

General Notes

Making good use of white space can make your web pages look more professional and elegant. If you're design a page for a high end brand, this is an essential tool.

Macro White Space

Macro white space, or negative space, are the large gaps between major blocks of content. When designing your page, try and break down the major blocks of content and arrange them with enough space between them. What you're going for here, is just enough space between elements so that you can appreciate them individually, but not so much that they don't form a cohesive whole.

Micro White Space

Micro white space is the space between individual letters, list elements, and smaller headers. While paragraphs at the macro level represent blocks of texture, the micro level examines paragraphs with readability and visual friction in mind. Adjusting the line-height or letter-spacing can dramatically impact these textures and improve readability.

AJAX Cross Domain Security

Often we hear the question about why AJAX requests cannot call to urls from different domains than the original page's domain.

The reason for this has to do with cookies. Nearly all websites that require you to log in use a cookie to remember who you are from page to page. If someone were able to read your cookie, copy it, and use it in their browser, your bank, social networking site, or whatever would not be able to distinguish you from your attacker.

Imagine you had just logged into your Bank's website, and then navigated to a page with malicious intent. If AJAX calls were allowed to be made cross domain, the attacker's site would be able to make requests to the banking site through my browser, using AJAX. Since the browser sends the cookie on all requests, the AJAX requests will be fully logged in, giving the attacker full access to your bank account.

This is one example of the need for cross-domain security with AJAX. There are other techniques that attempt to steal a user's cookie, or use it without their knowledge. These attacks are called cross-site scripting (XSS) and cross-site request forgery. We will be looking at these techniques and how to protect your site against them in future episodes.