sorted by: recent | see : popular

Content Tagged with json + Security

A good summary on security in javascript programming.

points how the MS ajax stack on the server side validates and prevents json hijacking. Pushed me towards using ms ajax on the server side (jquery & ms on the client side) instead of rolling our own .ashx to work w/ jquery

A wrapper around the html5lib library for sanitizing HTML. The service can be invoked using JSON and JSONP.

Protecting Resources, Explicit Token Validation, Referer Header Checked Validation, JSON Hijacking, HTTP Authentication, Enabling Other Sites to Access Your Resources, OAuth, JSONP Resource Protection, Protecting the Web Page, Subspace, Loading Cross-Site/Untrusted JavaScript, and Dojo Secure

It is a sad truth that JavaScript applications are easily left vulnerable to several types of security exploits, if developers are unwary. Because the Google Web Toolkit (GWT) produces JavaScript code, we GWT developers are no less vulnerable to JavaScript attacks than anyone else. However, because the goal of GWT is to allow developers to focus on their users' needs instead of JavaScript and browser quirks, it's easy to let our guards down. To make sure that GWT developers have a strong appreciation of the risks, we've put together this article.

The main thing to worry about is users injecting Javascript - cross-site scripting (XSS). Other vulerabilities people used to talk about - trusting user input and checking for SQL injection attacks - are boring/easy. If I have an XSS hole, I can steal your users’ cookies and log in as them, show a fake phishing page, embed malware, etc. And any service your site provides, I can perform it as if I was one of your users.

「クロスドメインアクセスの対策を施していない状態で機密情報を含むJSON、JSONP、JavaScriptでのデータ提供は行ってはいけない」