Re: More bollocks from biggots

---

• From: Jean-François Piéronne <jf.pieronne@xxxxxxxxxxx>
• Date: Wed, 11 Apr 2007 08:44:37 +0200

---

[snip]

[Best] workaround:
- use XML as transport

God help us!

The paper don't say that the best workaround is to use a XML
representation, it rather suggest as a simple workaround to only respond
to post method, not to get method.

"""
A server can mount a defense against JavaScript Hijacking by responding
to only HTTP POST requests and not responding to HTTP GET requests.
This is a defensive technique because the <script> tag always uses GET
to load JavaScript from external sources. This defense is also
error-prone.
"""

The only mention about a XML representation is:
"""
Rico and xajax use XML to transfer data between the client and
server and do not currently support JSON, which makes them trivially
invulnerable to JavaScript Hijacking. However, both frameworks plan
on adding support for JSON in future versions. Hopefully developers
contributing to Rico and xajax will implement JSON support securely
with the first version.
....
"""


So the best workaround is probably just to forbid get method for this
kind of request.

Also http://jpsykes.com/47/practical-csrf-and-json-security
mentioned that some JSON construct seem to be safe without any other
protection.
Another suggestion from this site for protect your exchange:
"""
At the end of the day, a very simple fix like double submitting cookies
solves most of the JSON security issue (I’ll post an example of it as
soon as possible).
"""

JSON (JavaScript Object Notation) is the most popular format for
communicating information in JavaScript and used by most of the Web 2.0
applications, so it is probably the most audited.

[snip]


JF
.

---

• References:
  • More on why Javascript is evil
    • From: JF Mezei
  • Re: More bollocks from biggots
    • From: Richard Maher
  • Re: More bollocks from biggots
    • From: Arne Vajhøj
  • Re: More bollocks from biggots
    • From: Richard Maher

• Prev by Date: Re: Error Checking in DCL using $severity
• Next by Date: Re: MicroVAX II chiller theatre
• Previous by thread: Re: More bollocks from biggots
• Next by thread: Re: More on why Javascript is evil
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AJAX with embedded server questions ... another request is sent. ... ISTM that JSON tends to require less overhead for less structured ... discussion on the topic of XML vs. JSON. ... Prototype.js was written by people who don't know javascript for people ... (comp.lang.javascript) Re: XMLHttpRequest - parsing returned data ... JSON is slightly faster than XML when there dataset is ... I guess that only reason for it is not native implementation of JSON ... but for 'easyness' of mainipulating JSON object at JavaScript ... (comp.lang.javascript) Re: Basic Ajax question ... Do you know about JSON? ... It is generally preferred over XML these days. ... It is easier to extract data from the JSON when it has been converted ... to a JavaScript object than it is to extract data out of an XML ... (comp.lang.javascript) Re: XML<-> JSON conversion. What do you think? ... then most of implementations of conversion from XML to JSON are ... Prototype.js was written by people who don't know javascript for people ... (comp.lang.javascript) Re: Yahoo! UI AJAX IE memory leak workaround and justification ... Instead of binding a function to ... onreadystatechange, the library polls the readystate of the request ... All the interfaces on our server return JASONized XML ... as javascript including a user definable javascript callback function. ... (comp.lang.javascript)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)