[Catalyst] Re: implementing ajax

Matt Pitts mpitts at a3its.com
Thu Mar 13 20:31:27 GMT 2008


> -----Original Message-----
> From: J. Shirley [mailto:jshirley at gmail.com]
> Sent: Thursday, March 13, 2008 11:51 AM
> To: The elegant MVC web framework
> Subject: Re: [Catalyst] Re: implementing ajax
> 
> On Thu, Mar 13, 2008 at 6:41 AM, KH <khultman at gmail.com> wrote:
> > The only /real/ vulnerability to JSON - as I understand it, and I
> could be
> > wrong - is when you read JSON from untrusted hosts.  JSON doesn't
> have the
> > requirement like XML does that the response come the from the same
> host that
> > you requested it from - and this where some of the cross-site
> scripting
> > exploits come in to play (as I understand it).  But I'm sure there
> are some
> > pretty good ways of mitigating that risk.  The two ways I can think
> of off
> > the top of my head are: including a sha-1 challenge in every
request,
> and
> > sha-1 response with the returned data; or just crypt every data
field
> with a
> > cheap encryption scheme using a certificate you push to the client.
> > Actually, I just read a great article on pushing certs to the
client:
> > http://drnicwilliams.com/2008/02/22/zero-sign-on-with-client-
> certificates/
> 
> This is incorrect, you can read XML and JSON from 3rd party domains if
> you know how to instruct the browser to do it.  The browser will only
> limit host if you use XmlHttpRequest as the transport.  The format of
> the data has nothing to do with the security rules applied to
> transport.
> 
> If you try to do an XmlHttpRequest to a different domain, it will
> fail.  It doesn't know anything at all about the format - you can send
> anything: plain text, html, JSON, PHP Serialization.  To handle
> cross-domain requests, you can use an iframe transport and it will
> work for any other domain, regardless of the wireformat.  Cross-site
> scripting is a completely different beast, though.
> 
> The real core issue is that relying on the browser to always do what
> you want is not a good idea, much like trusting the referrer headers.
> Just don't.
> 
> Code responsibly, and JSON and XML are both equal in this regard -
> done responsibly the only difference is personal taste.

I'll have to concede to the greater knowledge levels of those around me.
I guess JSON just scares me more because of how close it is to being
eval-able by a malicious client and captured with a simple <script> tag.
However, that's probably more a personal taste at this point.

v/r
-matt pitts



More information about the Catalyst mailing list