[thelist] ajax, javascript libraries - security.
trevor
trevor at intospace.ca
Mon Apr 16 23:24:46 CDT 2007
thanks for the info guys, it helps a lot.
the stuff i have been reading has reinforced things you both said.
this article at ibm was good for me, it started with the basics and
included lots of resources:
http://www-128.ibm.com/developerworks/library/x-securemashups/
ok well, if i'm grasping the pro's and cons, then:
- for totally public info, as in, to expose it as a kind of "data api" for
re-use by other websites, then json offers distinct advantages. but those
advantages turn quickly into security problems if i'm dealing with private
data, between server and browser. in these cases it's a much safer bet to
use a more strictly implemeted data format, such as xml, or just use json in
such a way as to deny any behaviours.
- or also - if i'm on the "receiving" end of some external json (the masher,
not the mashee), then there is this huge issue of trust toward the source of
the json-with-behaviour. if "mega-corp" who happens to offer json with
behaviour, suddenly and quietly decides to start collecting data (or
something) within that behaviour, then that is a big risk.
what do you think, am i off base?
could you please shed some light about this too - the defensive concept to
include a line of code such as: while(1) at the start of the json
object, in order to throw an "evil observer's" computer into a loop.
i don't get that. because -- if the "legitimate" javascript knows enough
to remove that line of code before implementing the object behaviour, then
what is to stop the "evil observer" from simply inspecting the legitimate
code, identifying the process to remove the while(1) statement, and then
adding that removal process to their own "evil" observation code??
hope that question makes sense :)
thanks again guys, take care
More information about the thelist
mailing list