Hi from Portland! I've been here all week at OSCON 2006, the annual O'Reilly Open Source Conference, as has fellow Plaxite Terry Chay. It's been a lively and action-packed event (read as: none of us are getting much sleep). I gave a talk about Cross-Site Ajax on Wednesday afternoon, and it generated quite a lively discussion afterwards, featuring some key people from Mozilla and Google (this is why it's so cool to talk at a place like OSCON!).
Here are the slides from my talk, which include (among other things), some helpful links for more info on cross-site browser issues and the proposals others have made for making things better. Kevin Yank blogged a detailed summary of my talk, which subsequently got picked up by Ajaxian and others. Since one of the main points in my talk was "we need to talk more publicly about these issues", I'm glad to see that my presentation has already sparked some fresh discussion!
Thanks to everyone that came to my talk or met me in the hallways or at dinner. I was impressed an inspired to see how intelligent, thoughtful, passionate, and real the people at OSCON were. I can't wait to return next year (this was my first OSCON). If you missed OSCON (or even if you didn't), check out the OSCON photos on flickr and extensive coverage in the blogosphere.
--Joseph Smarr
P.S. The lovely and talented Caitlin recorded my talk in HD video, so we'll post the edited video when it's ready.
P.P.S I started writing this post last Thursday afternoon, but I'm just finishing it now because Anil and Brad kept me up past my bedtime at the SixApart party (thanks, guys! ;)).
TrackBack
TrackBack URL for this entry:
http://blogadmin.plaxo.com/mt-tb.cgi/117Comments
Julien-you're absolutely right--ideally Plaxo would never need to see a user's clear-text password for a foreign site, or vice versa, and they could still interact in a rich and useful way. As you pointed out nicely in your recent post on Web API authentication for mashups (http://blog.monstuff.com/archives/000296.html), and as I commented on that post, the choice now seems to either be "complex, loosely integrated UI that avoids giving your password to a third party" (e.g. browser-based auth) or "simple, tightly integrated UI that requires sending your password through a third party" (e.g. the plaxo widget). I'm holding out hope for a third option that is a hybrid of the first two. I think our current widget UI is ideal (you enter your gmail/yahoo creds right inside the little widget popup wizard and you immediately see your address book), but I wish I had a way to implement that experience where the password went straight to Google/Yahoo and Plaxo never saw it (through some API, iframe, or whatever). While Plaxo is of course "doing the right thing" of immediately sending your password along and then discarding it, you shouldn't have to trust other sites to not abuse access to your full account, and it should be easier/safer for other sites to let you access your data on another site without having to try hard to do the right thing themselves.
Great discussion, let's keep it going!
Thanks, js
I guess it's the only way to implement this at this time, but the notion of providing Plaxo my password to some other services seems wrong. I know that it's not supposed to be stored and it will be forgotten right after it's used, but it makes me cringe.
Long-term, I'd suppose that Google and other contact services could provide the same kind of cross-site iframe-based API that you have implemented in the Plaxo "button" and popup...