[thelist] ajax, javascript libraries - security.

Matt Warden mwarden at gmail.com
Thu Apr 12 13:28:06 CDT 2007

On 4/12/07, trevor <trevor at intospace.ca> wrote:
> hi  folks,
> recently read an article on securityfocus.com, at this link:
> http://www.securityfocus.com/news/11456  entitled "Developers warned to
> secure AJAX design".    they refer to a study and paper issued by fortify
> security, which i also read.

I read the fortify article a few days back, and I was not impressed.

> the general idea of the two articles is that libraries such as
> scriptaculous, dojo, YUI, and others are not clearly enough stating the
> cross-site javascript hijacking issues, and that those libraries actually
> **encourage** practices that are insecure, specifically such as using JSON

This in particular is garbage. These libraries support JSON, but I
don't see how that amounts to encouraging its use. I've never liked
JSON, despite my deep respect for Doug Crockford, but that doesn't
mean it isn't perfectly valid format to use for non-sensitive data.
Thus, why would libraries choose to not support the format just
because it *can* be used in an unsafe way?

> so...i'm looking for opinions and resources that discuss these issues.  -
> any of the ajax/javascrip guru's here have any advice?

Be careful about using JSON or in-memory caching for sensitive data.

Don't be fooled by the alarmist article with the Web 2.0 label
suggesting that this is anything new.

Matt Warden
Cleveland, OH, USA

This email proudly and graciously contributes to entropy.

More information about the thelist mailing list