[Catalyst] Re: implementing ajax

[J. Shirley]

On Thu, Mar 13, 2008 at 6:41 AM, KH <khultman at gmail.com> wrote:
> The only /real/ vulnerability to JSON - as I understand it, and I could be
> wrong - is when you read JSON from untrusted hosts.  JSON doesn't have the
> requirement like XML does that the response come the from the same host that
> you requested it from - and this where some of the cross-site scripting
> exploits come in to play (as I understand it).  But I'm sure there are some
> pretty good ways of mitigating that risk.  The two ways I can think of off
> the top of my head are: including a sha-1 challenge in every request, and
> sha-1 response with the returned data; or just crypt every data field with a
> cheap encryption scheme using a certificate you push to the client.
> Actually, I just read a great article on pushing certs to the client:
> http://drnicwilliams.com/2008/02/22/zero-sign-on-with-client-certificates/

This is incorrect, you can read XML and JSON from 3rd party domains if
you know how to instruct the browser to do it.  The browser will only
limit host if you use XmlHttpRequest as the transport.  The format of
the data has nothing to do with the security rules applied to
transport.

If you try to do an XmlHttpRequest to a different domain, it will
fail.  It doesn't know anything at all about the format - you can send
anything: plain text, html, JSON, PHP Serialization.  To handle
cross-domain requests, you can use an iframe transport and it will
work for any other domain, regardless of the wireformat.  Cross-site
scripting is a completely different beast, though.

The real core issue is that relying on the browser to always do what
you want is not a good idea, much like trusting the referrer headers.
Just don't.

Code responsibly, and JSON and XML are both equal in this regard -
done responsibly the only difference is personal taste.

-J