Skip to Main Content
Adding Ajax
book

Adding Ajax

by Shelley Powers
June 2007
Intermediate to advanced content levelIntermediate to advanced
400 pages
9h 52m
English
O'Reilly Media, Inc.
Content preview from Adding Ajax

That Security Stuff

I imagine by this point you've torn great furrows into your scalp by the number of ways I've demonstrated of opening your web page to the worst sort of damage.

In particular, working around the security restrictions in the browser by using dynamic scripting with a call to an external service, which you do not control, means that your application is open to potential security violations.

Just such a security violation was discovered in Google's popular Gmail application in 2006. One service associated with the application would return a list of contacts for a given individual. This functionality was created as a JSON web service, and as long as the user was logged in, a call to this service returned the user's list of contacts. However, calls of this nature could be placed from any location, and the web service didn't check to ensure that they were from a "safe" domain. As such, a web site could easily make the call to the JSON service and then send the contacts list using an Ajax call to another service, or even an XHR request on its own site, thus opening up the contacts for yet more spam email.

Creating a JSON or even an XML service endpoint for sensitive data makes no sense, and neither does making a call on an endpoint service from a nontrusted site. Keeping these security issues in mind is important, though, because these kinds of services are important for implementing widgets.

If you read through the Ajax security restrictions at the Open Web Security Project ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Ajax: The Definitive Guide

Ajax: The Definitive Guide

Anthony T. Holdener III
Ajax Design Patterns

Ajax Design Patterns

Michael Mahemoff
Web Development with JavaScript and Ajax Illuminated

Web Development with JavaScript and Ajax Illuminated

Richard Allen, Kai Qian, Lixin Tao, Xiang Fu

Publisher Resources

ISBN: 9780596529369Supplemental ContentErrata Page