authentication provider. The party responsible for validating a user's credentials and issuing a token that can be used to access other sites. This is the web site you visit to do the actual authentication.
content injection. In a web application that accepts data input from users, content injection refers to the act of an attacker attempting to insert HTML or client script content that will be processed by a client browser, or SQL commands that the server may process. If successful, content injection of HTML or client scripts will cause the website to behave undesirably for any user that views the injected content because it's being processed by their browser as legitimate HTML or client script. Content injection can result in many undesirable effects, such as causing parts of a web page to disappear, diverting user requests to a malicious location, or allowing an attacker to eavesdrop. SQL injection does not affect the client browser, but if a web application accepts user input and uses it to dynamically create a SQL query without verifying the content, an attacker can inject syntax into the SQL query to manipulate the database and even the database server if it's not locked down properly. This type of attack can lead to deleted data, dropped databases, or even allow operating system commands to run as if you were typing them at the command line.
cross-site scripting (XSS). An attack whereby scripts from a malicious source are executed on a client browser as part of a trusted web page. Websites that build pages with data elements originating from other sources, such as user input or shared databases, are vulnerable to XSS attacks.
cross-site request forgery (CSRF). An attack in which a client browser is manipulated into performing malicious actions on a server with which the client has some form of trusted relationship through authentication, HTTPS, or IP filtering. An attacker embeds a link or a script in a piece of untrusted content that does something on the trusted site to which the user is currently authenticated. A simple example is an image element embedded in an HTML email that includes a URL query string, which performs a malicious action. If users click the image, they unknowingly initiate the act on the site where they are authenticated.
Data Model. An object that represents an entity built for data storage services. These are not available for use outside the boundaries of the application and are often encapsulated behind a services layer.
Domain Model. An object that represents an entity in the problem domain, which may also be annotated or extended to support some application features such as validation or authentication. Because these models need to be shared between the server and client browser, they are sometimes contained within view models and used directly for data-binding in HTML forms. Application models and service models are variations of domain models.
eavesdropping. Exploiting a web application using a network data capture utility to find and record HTTP requests and responses between a website and a client. Eavesdropping can lead to disclosure of sensitive information such as passwords, personal, or financial information, and can potentially allow the execution of spoofing, tampering and message replay attacks.
flow diagram. A diagram that defines the pages in the site, actions available on those pages, and navigation between pages. This diagram reflects the user stories identified in the requirements.
Forms authentication. Forms authentication enables user and password validation for web applications that do not require Windows authentication.
Form Model. An entity that represents all of the fields in an HTML form that is specific to a controller action. It contains only the data that is passed into the action. Generally, this corresponds to whatever form is posting back to the server. Form Models (sometimes called Request Models) are a special case of View Models. View Models are more generic in that they may also include additional data needed to render a page. A Form Model might end up being a property on another View Model.
fragment identifier. The portion of a URL identified by the hash (#). With regard to browser navigation, hyperlinks include them to make the hyperlink unique. When used in conjunction with the hashchange event, page content is able to change without performing a full-page reload.
given-when-then template. A helpful template for defining acceptance criteria that include the context of the test (given), the action being tested (when), and the expected outcome (then). This template provides clear and concise documentation that can be understood by team members and can be used to generate both manual and automated test scripts.
jQuery selectors. A syntactical aspect of jQuery that allows you to select all DOM elements based on specific criteria (tag name, id, attribute name, value, and more). Once the selection is made, jQuery is used to operate on the selected elements.
Jump List. List of commonly used tasks and destinations, enabling easy user access to destinations by eliminating the need to launch the browser and then load the relevant content. Also allows users to perform common tasks without launching the web application in advance. This is a feature of Windows® Internet Explorer® 9.
malicious input. Bad data that causes your system to behave undesirably and/or corrupts data.
message replay attack. An attack that alters the contents of a captured HTTP request and re-submits it to the website.
message tampering. When an attacker maliciously alters the content of request and/or response messages flowing between two parties across a network. For example, if a customer submits an order for 100 widgets to an online merchant, an attacker might alter the order request to order 10,000 widgets instead. Message tampering can be part of a message replay attack or a man-in-the-middle attack.
mock. The typical strategy for isolating your component under test is to supply an alternative component or function that the component calls instead of supplying the real component. These alternative components may also be referred to as fakes, doubles, or stubs.
mockup. A visual representation that shows what the site will eventually look like. Mockups contain details such as typography, color, gradients, images, and transparency, but no functionality. Mockups should communicate all necessary details of the UI. To do so, multiple mockups for a single page may be required to convey details of the different states of the application.
mood board. A visual collage made up of images and color palettes from a variety of sources that communicate the emotional connection the application aims to have with the users.
persona. A representation of a particular type of user the team can identify with. A persona is a user in context that embodies work style, role, motivation, skills, and goals. If you have a complicated or large application, some features might target multiple personas.
pinned site. A feature of Windows Internet Explorer 9 that integrates your website with the Windows 7 desktop. Pinned sites enable easy access to favorite websites and add shortcut functionality similar to shortcuts in Microsoft® Windows applications. With pinned sites enabled for a website, users can pin the site to the Windows 7 taskbar or add the site to the desktop or Start menu. With this feature, you can add site metadata, create custom jump lists, notification icons, and Thumbnail Preview toolbar controls for the websites you develop.
Plain Old CLR Object (POCO). Refers to a class in the Microsoft .NET Framework that does not have any dependencies on external libraries such as the Entity Framework. For example, if a class inherits from a base class provided in an external library, it is not a POCO.
progressive enhancement. Adds features to the client-side experience based on browser capabilities.
Publish/Subscribe pattern (pub/sub). A messaging pattern that enables loose communication between publishers and subscribers. A pub/sub object manages communication, relieving the publishers and subscribers from having direct knowledge of one another.
relying party. The party trying to validate a user based on a security token that was issued by an authentication provider.
repository. A set of interfaces and implementations providing methods for data access.
Repository pattern. This pattern assists the data model in separating data storage concerns from the application logic. The interfaces do not expose any data storage-specific types and the implementation classes use them. You can choose how many repositories to create based on how granular you want to factor the methods and the expected data access pattern from your application.
rule of thirds. This is a rule of thumb for visual composition that states that an image should be imagined as divided into nine equal parts by two equally-spaced horizontal lines and two equally-spaced vertical lines. Important compositional elements should be placed along these lines or their intersections.
safe list. A list that limits input by only allowing what is known to be valid. The advantage of safe lists is that anything that falls outside of the valid set of characters is not allowed.
salt. A salt is a value combined with a cryptographic key to make the output of an encryption algorithm more random and less susceptible to attack.
sandboxing. Technique that allows components of the application to be tested before the entire application is complete. It also makes testing more robust by preventing software defects in one module from blocking or affecting the testing of other modules.
Single-Page Interface (SPI) pattern. A pattern for web applications that reduces the number of full-page reloads during user navigation. When a user performs an action, such as selecting a hyperlink, which traditionally requires the site to load a new web page, the application instead modifies the current web page without reloading it.
single-page interface web application. Web application where the user is only required to perform a full-page load once. From that point on, all page changes and data loading is performed without a full-page reload. Hotmail, Office Live, and Twitter are examples of single-page interface web applications.
sliding expiration. A pre-determined amount of time where an authenticated user can use the site. The amount of time is reset whenever the user makes a new request to the server. The advantage of using a sliding expiration is that it does not force the user to authenticate again if he or she maintains a reasonable level of activity in the application. Otherwise, the user would be redirected to the authentication page after a fixed amount of time had elapsed after the initial authentication.
static web application. Web sites consisting of static HTML pages, CSS, and images. As each page is navigated to, the browser performs a full-page reload.
structure. The HTML of the page as it relates to the hierarchy of elements that make up the page, rather than the visual appearance or layout of the UI.
topic. The message between the publisher and subscriber in a pub/sub environment. This message, also often referred to as an event, represents the contract between the sender and receiver, and is made up of a name and an optional message body.
user gestures. A specific action that a user takes in order to interact with an application. Traditionally, gestures include mouse clicks and keys presses. However, many modern applications also employ interactions in which a user acts more directly on an application. For example, they may touch a screen to swipe, pinch, or pull content.
ViewBag. The name/value keyed collection that lets you store any loosely typed data. ASP.NET MVC 3 introduced the ViewBag (called ViewData in previous versions) in addition to View.Model.
View Models. Models contained within the MVC application which are built solely for a view to data-bind against. They often follow the same composition hierarchy as the views and partial views.
widget method. The method that represents the primary interface for applying the widget to elements and using the widget after it's applied. The widget method is named after the name of the widget.
wireframe. A diagram that depicts rough placement of the text, data, and basic controls of a UI. These diagrams are tools used to help organize the page's information. A wireframe does not show details of the page.
wrapped set. A wrapped set is the result of a query that uses a jQuery selector to find elements in the DOM. To call a method on a wrapped set of elements, a selector is used to select elements in the DOM. For example, to add the listing CSS class to all ul elements directly inside a div element, you can use $('div ul').addClass('listing').