[Catalyst] Picking template type based on input

Fri Mar 26 22:52:45 GMT 2010

On Fri, Mar 26, 2010 at 10:36 PM, Bill Moseley <moseley at hank.org> wrote:
>> A bit OT but:
>> Is there any built in XSS protection built in some module in Catalyst?
>> I was thinking something like auth tokens one can add to the html only
>> known by the server and the loaded page, to protect private data sent
>> by JSON. Or isn't that secure enough?
>
> You have an example of what you need to protect against?
> If you are sending a JSON response to the client it's not really "private"
> -- any more than the html response.   Guess, I don't understand your
> concern.

User data for instance, say I have an application which is password
protected and I'm using the Authenticate/Authorize model coming with
Catalyst. I then protect the user data with a session cookie making
sure $c->user->address is shown and editable by the logged in user
(based on the thought that only the user can send me the cookie).

How do I protect that from another site with another tab? YUI.Get
allows cross site requests, I haven't looked in too deep into it but
when I take the url I see the javascript requests in gmail does and
put it in a small YUI snippet will I get all my mail:
https://mail.google.com/mail/?ui=2&ik=a_secret_token_or_my_id&view=tl&start=0&num=70&rt=h&search=drafts&zx=a_secret_token_or_my_id

I've obviously removed the one or two variables google use to protect
my data, which prevents another tab from actually getting more than my
labels. Obviously what google has done here is using these tokens to
protect me. If I don't use tokens (or some other scheme) can another
site easily do the request to gmail and fetch all my mail, my contacts
etc all because the browser allows a cross site script running and
using the original cookies.

To me it seems cookies (at least in FF 3.5.8) aren't worth anything to
make sure the request is from a logged in user and not some random
site the user has gone to while having a valid cookie. Or am I overly
paranoid?

If I'm not paranoid I'd like to do somthing like this in
some_header.tt (or in a sandboxed YUI context):
var GLOBAL_TOKEN = "[% c->auth_token %]";

and then in every request dealing with something I only want a logged
in user to have access to require it to match what I've stored server
side for this session.

And again, I'm no security expert and this with javascript/browser
lack of security is fairly new to me so I'm not at all betting my
dirty undies that I'm correct. I'd be a lot happier if I'm not since
this would add a lot of hassle.