6 threats of the modern FE environment

Posted on February 26, 2013 by Marc van den Dobbelsteen

Frontend threats

 

Web's frontend has always been a dynamic environment with it's own specific characteristics. It has gained a lot of professionalism regarding job roles, technologies, processes and as a platform in the last years. But besides this evolutional change, frontend plays a growing role in multi device strategy and application architecture. This evolution, shift and growth can also introduce some possible threats that, if not addressed, can lead to disaster.

Complexity

Our frontend domain is maturing rapidly. We started with a relatively simple web design environment and are entering a full-blown system development platform where we use professional development methodologies that have a high learning curve. Thorough knowledge of structured and Object oriented programming and design patterns like MVC, module, AMD etc is needed. We are continuously shifting away from the open low-level character of our web standards.

The user environment is also rapidly expanding. A plethora of devices and browsers must be served. Users are getting more demanding regarding their experience. Browsers are evolving from an agent to a platform where new technologies are growing like a herd of mushrooms.

All these new features drive an unstoppable temptation to bloat our frontend environment with all kinds of goodies, resulting in a full fat overloaded client where everything is happening without any goal or fundamental reason.

If we don't continuously reduce complexity, we will end up with a unmanageable environment.

Ignorance

Ignorance of the fact that the frontend environment is an environment with it's own specific habits, requirements and
behavior, and the fact that frontend developers are professionals that are aware of these specific characteristics, can be an important threat.

The frontend environment should not be treated as a server side environment, like java or c#. We have to deal with an unstable, unreliable hostile runtime environment, build on a single threaded execution model. we don't have compilers that save us from all kinds of mistakes. We struggle with runtime isolation, etc.

Agile development methodologies have morphed multi disciplinary teams into omni disciplinary teams where frontend developers have to test and backend developers have to write frontend code. No problem with that. This LEAN approach surely has potential, but it will only work with ignorance-free backend developers. They should be aware of the pitfalls, quirks and best practices of FE development. But we as FE professionals have to make them less ignorant by sharing our FE knowledge.

Complex environments need structure and some level of architectural foundation to keep them maintainable, so for the Frontend environment. We have come a long way from table-based web design to the current state. A lot of clever technologies and methodologies have been invented that contribute to the initial foundations of the web and have become de-facto standards. Patterns like REST, Progressive enhancement, Graceful degradation, Accessibility, semantics are great goods. Don't ignore them.

Compatibility

The continuously diverging landscape of devices we have to support, and the ever growing richness of the user interface we have to build in order to server the demanding user's online responsive experience, is asking a lot of our technologies and us as developers. Old design paradigms like 'pixel perfect', 'page-design' and 'wireframes' don't fit to this complex new world. They create a lot of friction, don't ignore.

Future

Don't think of the future as a goal, but as a process. Not only new technologies are entering our FE world with an amazing speed, but also the way's we use them do do stuff are. Future in FE terms is now + 3 months. This means we have to be ready to absorb the future by providing flexibility and agility in our FE architecture.

One other big threat in regard to future is to use new technologies or methodologies as a goal on their own, instead of means to reach a goal. Don't let you be influenced by buzz driven people.

Openness

Our frontend environment has always been a very open, easy to use environment with technologies that have a low learning curve and where it is easy to book visible result. FE sourcecode files are easy editable and deployable to any environment, locally or remote.
We only need a browser to view the result of our work. This openness has been one of the drivers for the growth and widely use of the web.In fact, anyone can build a webpage.

But bit by bit we are raising barricades and thereby influencing the openness in a negative way. Complex tooling, abstractions, automation, mix-ins, etc. are good means to make our daily life easier and add more structure to our environment, but don't overdo. Don't make things difficult when they could be easy.

Uncertainty

FE development has always been a discipline with some aspects of uncertainty. The most annoying perhaps has been the deviating level of browser compliance to web standards. But today the most important uncertainty are the things that lay ahead of us. What does our FE future look like. What technologies will arrive and which devices do we have to serve? Will my current knowledge still be sufficient? which developments should i track? All questions that will constantly pop up, every day of your FE life.

Like i told, future is a process. But don't let this uncertainty scare you. Embrace it, treat it like a gift. Just be sure you have enough flexibility and agility in your architecture, so you can adapt quickly.

Posted in governance | Leave a comment

3rd party includes, avoid a hangover.

Posted on February 12, 2013 by Marc van den Dobbelsteen

3rd and 4th party includesWith the ever growing attention for social media, a lot of new SAAS-like solutions for adding additional functionality to a website are conquering the market. Through mash-up constructions, solutions are offered for bannering, widgets and tracking. These solutions often will load static content from a web server owned by the party offering the solution. This static content consist of javascript, css, html and image files.

The advantages of these SAAS solutions like easy integration and a efficient update-model are well known, but there also are some important risk that should thoroughly be evaluated before proceeding with these 3rd party includes.

Because 3rd party includes are loaded from a domain other than the origin of the actual HTML document, the browser will default to the same-origin-policy handling. This policy for example won't allow these 3rd party scripts to use XHR for sending client data back to the 3rd party server. In a lot of situations, this same-origin-policy will be circumvented by creating hacks using browser flaws. As a result, these hacks will allow the 3rd party scripts to:

  • - Instantiate browser plugins
  • - Open popup windows
  • - Submit forms
  • - Use client side storage mechanisms like LocalStorage, SessionStorage, Cookies etc.
  • - Send XHR's
  • - Manipulate the DOM of the origin page
  • - Use HTC's and Binary behaviors or bind data

An other known side effect of 3rd party includes are the so called 4th party includes, when SAAS solution providers also include external resources in their sources. These could be for example libraries from a CDN or other delivery network. This construction can introduce some nasty effects that will influence the overall quality of our websites and applications.

Performance

3rd and 4th party content owners can have a different regime or strategy in terms of caching and performance than you try to strive for. Poor or no cache settings and a poor optimization for file size and amount of io of the external sources  can result in a bad overall performance of our systems. Any downtime of this external environment or resulting 500 or 404 responses even can block or stall the render-thread of the browser (white screen). The result can be an introduction of SPOF (Single Point Of Failure) on the frontend.

Privacy

3rd party scripts are able to see, store and post everything the user does without any consent of you or the user. Even as a result of the expanding chain-of-trust it will be much harder or even impossible to comply to privacy regulations or perhaps even our own privacy goal. A more for the user visible effect will occur if a 4th party uses click behavior for retargeting purposes.

Security

Because existing browser security policies are bypassed, the risk that the integrity of your systems (websites, applications) is affected, will be increased. Besides the possibility of actual exploits or attacks via XSS, an another great danger is the unnoticed realization of drive-by malware infections because of compromised 3rd and 4th parties. Frequently stories appear in the news about websites been compromised by for example the 3rd party banner network they use. Such latter case is of course extremely damaging to a corporate reputation. As a high-volume site will be popular victims.

Governance / Control

The 4th party phenomenon can result in a mush of sources and origins (domains), where the complexity of the whole increases, and the span-of-control will alarming decrease.

Awareness

To cope with these issues in a sound way, it is important that awareness is created regarding 3rd party includes and the possible risks. A clear vision regarding the above should be formulated and translated into a policy. For example, a thorough risk analysis and assessment could be done. And when necessary some quality requirements could be issued through SLAs with the 3rd party. There are some interesting technically developments going on to deal in a professional way with the same-origin-policy issue when embedding 3rd party content. Things like CORS, CD Messaging and HTML5 Sandbox will in the near future be good solutions to these problems, but until then, risks should be reduced otherwise.

Posted in Security | Tagged , , , , , | 2 Comments

Frontend Trends & Predictions for 2013 (and beyond)

Posted on December 30, 2012 by Marc van den Dobbelsteen

2013 frontend predictionsHappy new year to you all!

A new fresh year is ahead of us. A year that will bring a lot of new stuff to our ever dynamic FE world. I took some time to evaluate last year and have a peek into the overwhelming world that will arive soon. Here some of my thoughts for 2013!

1. Responsive (Web) Design will evolve into Adaptive Systems.

Responsive design has been quite a good catalyst for introducing adaptive layout based web design to a broad audience. But when translating responsive design to a scalable and future-proof solution for a enterprise environment, responsive design as defined by using media-queries, a fluid grid system and flexible images won't cut the cake. A more mature, on adaptive systems based approach, will replace the adaptive design approach. These adaptive systems will consist of a client agnostic interface, context-aware design and adaptive content providers (ACP's) or adaptive content delivery clusters (ACDC's).

2. Letting the grid go

Responsive design is strongly connected with the use of css grid systems to structure the layout of our content en UI elements. It allows flexibility and encourages correlation between page elements. But is is still thinking from a page-design focus and it even has some print design characteristics. There will be a shift from traditional grid-systems to more flexible and future proof solutions. New approaches to this subject like frameless grid and the goldilocks approach already have seen the light. Eventually a more holistic approach of laying-out web elements is needed.auto-layout systems will be introduced that define layout constraints on component level and use a constraint satisfaction system that arranges the elements in a way that most closely meets the constraints.

3. MV* Fatigue

Using one of the MV* family patterns is very popular today in creating client-side applications. And with that a lot of new MV* frameworks are popping up. Like Addy Osmani stated in this blogpost, "This overwhelming growth of MV* frameworks will lead to a lot of frustration and confusion with developers". The 'Yet Another Framework Syndrome', or YAFS will also take place on this front. People are abusing the MV* patterns and end up with a chaotic mess while aiming for more structure. There is also a lot of difference in interpretation how a scalable JavaScript application should be organized. MV* frameworks are not matured enough yet. They still don’t address any kind of application layer, communication between Views. There is also a need for other patterns/logic like application initializer, region management, view management etc..

4. More sensor data available in browser

With the growing adoption of web-apps on mobile the browser will silently integrate with de device it's OS. More and more sensor data from our devices will be routed to the browser through an API. This info can be used in our mobile web-apps to create a lot of rich functionality that currently only can be created with native apps. Geodata from gps and wifi, data from Accelerometer, Gyroscope, Magnetometer, network information, access to local files are already available in the latest mobile/os combinations. Access to captured media and realtime camera access will quickly follow. Eventually device sensors data will be integrated into the DOM with their own objects and events. The introduction of new types of sensors in our handhelds will reveil more and more about the user his context. And this context can be used in our future adaptive designs.

5. FE Cyber security

Whit the rapid growth of cybercrime and the countermeasures know as cyber security, there is also a big shift in focus from backend systems to the client-side environment. Browsers are often misconfigured, allowing malware to get onto a user's system, stealing credit card data and passwords. Also the weakest link in the encryption chain is the browsers memory or DOM. This often will be the only place where heavily encrypted data will be stored decrypted. That's why you will see RAM scraping more commonly now as attackers focus on client-side attacks, shifting away from server-side attacks. Also the inevitable expanding world of mobile, device and social integration and the growing technical complexity of client-side technologies like HTML5 and javascript will provide new attack surfaces with a lot of new vectors. Companies will organize from incident response teams to full time dedicated teams for fighting cybercrime and ensure cyber security. These teams will introduce new roles like Forensic Analysts, and Reverse Engineering Malware Specialists, but there will also be a new role for a Frontend cyber specialist. This will be a Frontend specialist with a dedicated Cyber security knowledge, who will reverse engineer Malware, Trojans and will build client-side countermeasures. Still a niche, but with a lot of potential.

6. The introduction of new devices types.

After the huge growth of mobile devices over desktop last year ,new device-groups will apear, also they will blend in more in daily life than we are used to with our handhelds.
The paradigm shift in computing that we see happening now is not only bringing us new types of devices, but also will introduce new ways of interaction and interfacing. Computing has evolved from the mainframe to the desktop to the shoulder bag to the pocket, and now computing is taking over new frontiers: Our physical bodies and the physical environments we inhabit. Two new families of devices will evolve. The wearables are devices that are worn in or on the body. Embedded devices are 'dumb' devices that have been made smart by integrating sensors and all forms of data-communication These new types of devices will expand our device-landscape and will eventually use our (adaptive) content and apps.

7. The rise of Micro Apps

With the growth of wearable devices the rise of a new ecosystem will occur Small, wearable, connected devices bring personal content to your wrist, your belt, your helmet, your eyeglasses, your car, your bicycle handlebars. The application that live on these devices are called Micro Apps. Micro Apps have limited screen estate and need their specific approach in UX-design. Development platforms for micro apps have already appeared and will grow.

8. More new and smarter sensors will be embedded

Our portable devices will become more and more aware of it's user and the surrounding or context. Our mobiles will be stuffed with a lot of new and smarter sensors. These sensors will allow our devices to hear, sea, taste and smell ! The context-aware smartphone will know, for example, if the user is seated and skip location services updates. If it is in a pocket it prevents inadvertent pocket dialing. Also the integration of e-Health sensors will allow our device to continuously monitor the most important biometric parameters of it's user. It will be aware of the current physical state of the user. All this information will enrich the context profile of the user, and that will allow us to create new smarter interfaces and experiences for our apps and websites.

9. A new era for web-design

The design for our future web will strongly be influenced by the rise of responsive and adaptive interfaces and ever growing and diverging landscape of devices. These new aspects force us to rethink web-design We will need to let go the page-based design thinking and need to search for more modular ways of constructing web-views for our user. New touch patterns will become standard ways of navigating our content. For example, horizontal and vertical scrolling through swiping will become a standard way of navigation. The omni-channel and multidevice landscape will introduce more complex UX-patterns with a transparent and layered interface with multiple views. Visually there will be more room for simplicity and breathing space. The button will be re-invented and full page mood images will disappear. Subtle colored panels, more font types, icons and less images will introduce a new visual era.

10. Breaking out of the browser

The browser will not longer be the only interface for showing web-based applications. With the release of chrome packaged apps you will be able to create desktop apps that won't need a browser to start, but are totally created with HTML, javascript and CSS. The packaged apps can have access to a lot of OS resources that are yet not accessible through the browser. Packaged apps also can more easily be build for offline use. Some HTML5 frameworks like KendoUI and AppJS already have support for building these packaged apps. The attention chrome packaged apps will encourage other browser vendors to pickup their packed app initiatives again and release their own solutions on short term. Packaged apps are the future of 'desktop' apps, written in plain web technology and ready to run everywhere.

Posted in Trends | Tagged , , , | Leave a comment

A new year, a new blog!

Posted on December 29, 2012 by Marc van den Dobbelsteen

starting blogWelcome to my new blog!

After putting  some thoughts on paper about the architectural side of frontend (FE), i claimed the domain frontendarchitecture.org in 2008 with the idea to share knowledge and discuss our FE discipline with others. Then i got busy with lots of other stuff...

Now, with the start of a new year, a professionalized FE world, and the very dynamic, complex and teasing playground of tomorow, i think the time is right to start this blog.

This won't be a blog about implementing FE stuff. It won't house a lot of code or step-by-step instructions. It will more be a place of posing statements and ideas, discussing and teasing about the foundations of our FE environment.

I hope you will join and share your thoughts too by discussing on topics!

Posted in Uncategorized | Leave a comment