[Catalyst] Picking template type based on input

Bill Moseley moseley at hank.org
Sun Mar 28 21:41:12 GMT 2010 

On Sun, Mar 28, 2010 at 7:12 AM, Jon mailinglists <jon.mlist at gmail.com>wrot=
e:

> In my catalyst app I have this sub (not really, but this makes things
> easier to follow):
>
> sub get_info : Local {
>   my ($self, $c) =3D @_;
>
>    my $info =3D $c->user->member_info;
>    my $res =3D
> 'MyNamespace.callback({"ResultSet":{"totalResultsAvailable":"73399","firs=
tResultPosition":"0","totalResultsReturned":"20","Result":[{"Title":"'.$inf=
o->get_column('first_name').'
>
> '.$info->get_column('last_name').'","zip_code":"'.$info->get_column('area=
code').'"}]}});';
>    $c->response->body($res);
> }
>

I think I get it now.  I first thought you were talking about users adding
javascript to pages you render -- that is, allowing someone to inject script
onto your pages.

(I'm hoping someone will jump in an correct anything I say wrong here --
which often seems like the best way to get a response here...)

I think the short answer is, don't return JSONP -- don't return JSON wrapped
in a function call.  That's a way to bypass security provided by the
same-origin policy.

Let me restate what I think you are saying:


   1. The "good site" (MY-CATALYST-SERVER in your example) returns the JSONP
   above as long as the user is logged in.  By "logged in" that means the
   request includes a valid session id in the cookie.
   2. In another tab of the same browser when viewing a page from "
   evil_empire.com" a request is made to
   http://MY-CATALYST-SERVER:3000/member/get_info.
   3. That request will include the cookie required to gain access (and thus
   return private user data).
   4. Javascript is returned that includes a call to a function passing the
   user's private data to that function.
   5. evil_empire.com now has access to the user's name and zip code.

Yes, this is true.  This is a security hole.  But by returning JSONP you
gave away this access.

JSONP is "application/javascript" -- and as such it can be loaded from any
domain.  Loading javascript is not limited by same-origin policy.  (If it
was then Content Delivery Networks would be of limited use.).

Note, this has nothing to do with YUI.Get.  evil_empire.com just needs to
add a <script> tag to their page to fetch the JSONP from your app.  YUI.Get
just provides a dynamic way to accomplish that.

Your application should only return data via JSON, not JSONP.   For a script
to read JSON data it needs to use XMLHttpRequest and that request is limited
by the same-origin policy.  That is, javascript running on evil_empire.com's
page cannot do an AJAX request to your catalyst application.

Hopefully, that's clear -- and correct. ;)


-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20100328/31efc=
20f/attachment.htm

More information about the Catalyst mailing list