Tuesday, April 3rd, 2007
Towards Secure Ajax Mashups
Category: JSON, Remoting
, Security
He begins by surveying current techniques for calling external servers, such as the popular On-Demand Javascript technique. This has well-known security issues.
The scalability benefit of the <script> tag comes at the cost of sidestepping the Same Origin Policy security model, introducing potential attack vulnerabilities:
- Cross-site cookie access becomes possible: Scripts from one site can access cookies from another site.
- There is no opportunity to inspect the retrieved code for safety issues before running it: The code runs immediately upon loading.
One short-term solution is the following IFrame fragment identifier hack.
A more recently developed content-retrieval technique employs communication between a page’s script and a hidden iframe through its src URL’s fragment identifier (the part of the URL that comes after the # sign). Scripts in the parent page and embedded iframe can set each other’s fragment identifiers despite coming from different origins. An agreed-upon communication protocol is maintained between the scripts, driven by JavaScript timers that periodically fire routines to check for changes in the fragment identifier.
We’ll hopefully see more flexible, purpose-built, solutions in the future, and Brent’s article summarizes the proposals under discussion – JSONRequest, <module> tag, content restrictions header, W3C Access Control List (ACL) System, Cross-browser.xml.
With all these facilities potentially in the pipeline, one can only hope there will be a clear winner that works in all major browsers, or at least enough overlap that the Ajax libs can provide a straightforward abstraction!!!
Related Content:
“We’ll hopefully see more flexible, purpose-built, solutions in the future…”
If only someone would come up with some sort of extensible markup language that wouldn’t execute on initial load. One that we might twist to use for remote messaging, ideally.
…I’m hopeful JSONRequest.js will gain some momentum. Doug Crockford’s proposal seems very sensible and straightforward, and it’s a data format that all Ajax devs are very familiar with. Where can we find news about the progress of these proposals related to the browser powers-that-be??