Protecting a JavaScript Service
Written by on April 5th, 2007 in Ajax News.
There is increasing buzz over security with JavaScript, and people are stepping up to the plate.
In How to Protect a JSON or Javascript Service, Joe Walker looks at a few solutions such as:
- Use a Secret in the Request
- Force pre-eval() Processing
- Force POST requests
Joe implements some of these in DWR, including:
Prefix the script with throw new Error("message");. This is a neat solution in that it allows you to explain what is wrong to users that get the message by mistake.
Andrea Giammarchi wonders if 130 bytes are enough to solve JavaScript JSON Hijacking problems? in which he discusses tactics for detecting the hijacking of your objects and comes up with solutions such as this:
-
-
if((function(c,m,t){t=c[m];delete c[m];if(/^\[XMLHttpRequest\]$/.test(c)){c[m]=t;return 1}})(XMLHttpRequest,”toString”))
-
alert(”Valid XMLHttpRequest”);
-
else
-
alert(”XMLHttpRequest is corrupted”);
-
Finally, the GWT team has published an article on Security for GWT Applications that delves into how GWT handles JavaScript vulnerabilities such as leaking data, cross-site scripting, forging requests, JSON and XSRF.
A lot of good stuff.
Source: Ajaxian
Original Article: http://ajaxian.com/archives/protecting-a-javascript-service