[Javascript] Serious browser detection.
Chris T
christ at saeweb.com
Tue Mar 16 09:03:30 CST 2004
What are tokens?
----- Original Message -----
From: "David Lovering" <dlovering at gazos.com>
To: "[JavaScript List]" <javascript at LaTech.edu>
Sent: Tuesday, March 16, 2004 9:07 AM
Subject: Re: [Javascript] Serious browser detection.
Another issue to consider is that many of the reserved tokens can be
"spoofed" in Javascript (or so the CERT/CIAC security folks maintain). If
my understanding is correct, these are defined shortly after the client
connection to the session is initiated, and can (allegedly) be manipulated
subsequently. Presumably later revs will preclude this, making it
impossible to alter reserved tokens unless done in a signed script -- and
even then with restrictions. I've already verified that some reserved
tokens are protected this way, but the security notices would imply that not
all of them are. I've not experimented with the browser detection
parameters, and couldn't say one way or the other whether they are
vulnerable.
Anybody have any personal experience with this? I'd like a second (or
third) opinion.
More information about the Javascript
mailing list