sorted by: recent | see : popular

Content Tagged with security + JavaScript

There are a couple of popular workarounds: (1) using the hash (#) portion of the URL, which can be read between frames, and (2) cross-domain JSON, or in other words, directly importing live scripts from a third party site into your own.

We have been investigating the security implications of having a JSON api in Connections. It turns out that it is very easy to leave pretty big security exposures in an application if it isn’t done right. The security exposure in this case is rogue sites being able to get at data made available via a JSON api. The truly frightening part of this is that applications installed on a corporate intranet can actually leak data to internet sites should a user visit a rogue site. BTW, these exposures apply equally to both formally published api’s such as Yahoo’s and also any internal JSON api’s often used for AJAX tricks.

Some developers view AJAX as the silver bullet for every scenario. However, AJAX introduces its own set of hazards in various areas, which include: development time, browsing history and experience, search engine interaction, accessibility, server load, and security. Let’s take a closer look at each of these 6 areas.

The majority of personalized web sites use some kind of form-based password authentication where you have two form fields for username and password, and a login button. When you submit your authentication, the password is sent to the server for verification against a user database. This method has several security implications, and my article describes a possible solution to this, using JavaScript.

more bookmarklet hacking from my favourite XSS guy

Cross-domain data transfer with window.name and the Dojo framework