Friday, November 20th, 2009

Full Frontal ’09: Chris Heilmann on Javascript Security

Category: JavaScript, Security

It’s another Javascript conference! Full Frontal has kicked off in Brighton this morning (fullfrontal09 on twitter). First up is Ajaxian and Yahoo Chris Heilmann on Javascript security. The main theme is let’s use Javascript sensibly and don’t just blame the language when other things are creating the risks too.

Chris walks us through the history of javascript. The days of building complex systems with document.write() are over thankfully, though some people still think that’s what it’s all about. Having annoyed people with all the js bling, Ajax came around and suddenly javascript is seen as a tool for useful stuff. But…a little too much Ajax perhaps? People using it where it didn’t need to be and how it shouldn’t be used, hence the security fears.

According to a pie chart Chris presents, browser problems are responsible for only 8% of vilnerabilties; the biggest problems are SQL injection and XSS, where the server should be locking down.

Don’t judge the language by its implementation. it does have intrinsic issues like global variables, but the right implementation can keep things secure. As well as poor practice, the browsers bear responsibility. And the cool kids – safari and firefox – are the most vulnerable according to this survey. And it gets a lot worse when you start playing with browser extensions.

So do we turn javascript off? No, the experience of google maps etc is just too good. We don’t have to learn just by “View Source” anymore. There are plenty of resources out there to learn how to do it and how to do it properly (not just with a magic code-gen tool). Use javascript for the right things, not all things. e.g. Slicker UI, data validation warnings, UI controls not native to HTML, visual effects not native to CSS.

What if you’re sharing content from third parties, as the yahoo homepage now allows? Caja is presently the only way to do sandboxing in the browser. It doesn’t output pretty code right now, but it does cut out many risks. Caja prohibits eval(), iframes, * and _ hacks, an many other dangerous features. The latest YUI is caja-compliant code, and Chris reports John Resig is open to the same thing for jQuery, if it turns out there is demand out there.

Chris presents various examples of Javascript outside the browser – Air, web widgets, server side, even TV sets. It’s a very useful tool here, and shows it doesn’t have to be limited to the browser and the security risks that come with browsers.

Posted by Michael Mahemoff at 6:00 am
Comment here

2.9 rating from 17 votes

Comments Here »

Comments feed TrackBack URI

Leave a comment

You must be logged in to post a comment.