Would this be secure or reccomendable?

[beachersaussie]

I am building a website that allows full-screen apps.

 

Basically I have two thoughts:

 

1. iframes (like Facebook)

2. jquery.load

 

The advantage of jquery.load is i can have a consistent navigation and get the app to append into it (will be a sliding out sidebar).

Unlike the iframe, I would have to rely on the developer to implement a standard navigation etc.

 

Would 2 be secure? Noting my whole site being powered by its own API (similar to twitter is).

Or would it be best to try and develop some form of framework developers must adhere to and check all apps against it (similar to Apple) (and use iframes - like Facebook)?

 

Or has someone got an even better idea.

 

Hope that all makes some sense

[ignace]

Since you have an API, developers already adhere to something. Why would jQuery.load be insecure? We are going to need more info. If they can't compromise you through your API, I would allow the developers as much freedom as possible. Allowing creativity is key to attracting parties.

[beachersaussie]

@ignace,

 

All the data handling is done via an API, so they could not hook into a PHP function to get a users data, it would have to go via the API, the only cookie stored is one to confirm they are logged in.

 

So it would allow the most creativity, freedom and still allow security (given the above) if I user jQuery/AJAX loads rather than iframe?

 

Although how would adding CSS sheets and jquery plugins go?

 

Thanks

[beachersaussie]

Not sure why this was shifted as it is a fairly broad topic, encompassing iframe, jquery, ajax and PHP - all options are still open.

 

Anyways, look forward to more advice

[beachersaussie]

Also @ignace,

What if they redefined the cookie for active user (which fb & twitter use the same as i do) this would give acces to other peoples stuff? yes?

[beachersaussie]

I dont feel this belongs here, so Im going away to think it over and come back soon.

 

Ignace, feel free please to offer your advice again

[xyph]

This was moved here as it's a discussion about HTTP, and not PHP.

 

You are asking if whether using an IFRAME or AJAX is more secure. Your API being coded in PHP does not making this a PHP question.

 

The answer, without knowing the details, is that they are equally secure. Both can be manipulated client-side, and both can send a request on behalf of the client. I don't know anything that would make one less secure than the other, they have generally similar behaviour.

 

If you would like to discuss your API in particular, feel free to post in the PHP section