[thelist] ajax, javascript libraries - security.
Matt Warden
mwarden at gmail.com
Thu Apr 12 13:28:06 CDT 2007
On 4/12/07, trevor <trevor at intospace.ca> wrote:
> hi folks,
> recently read an article on securityfocus.com, at this link:
> http://www.securityfocus.com/news/11456 entitled "Developers warned to
> secure AJAX design". they refer to a study and paper issued by fortify
> security, which i also read.
I read the fortify article a few days back, and I was not impressed.
> the general idea of the two articles is that libraries such as
> scriptaculous, dojo, YUI, and others are not clearly enough stating the
> cross-site javascript hijacking issues, and that those libraries actually
> **encourage** practices that are insecure, specifically such as using JSON
This in particular is garbage. These libraries support JSON, but I
don't see how that amounts to encouraging its use. I've never liked
JSON, despite my deep respect for Doug Crockford, but that doesn't
mean it isn't perfectly valid format to use for non-sensitive data.
Thus, why would libraries choose to not support the format just
because it *can* be used in an unsafe way?
> so...i'm looking for opinions and resources that discuss these issues. -
> any of the ajax/javascrip guru's here have any advice?
Be careful about using JSON or in-memory caching for sensitive data.
Don't be fooled by the alarmist article with the Web 2.0 label
suggesting that this is anything new.
--
Matt Warden
Cleveland, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the thelist
mailing list