Smartial Wayback Machine Text Extractor
Live version of this page DOES NOT exist (#0)
This article contains 280 words.
Web Directions North » Blog Archive » Ajax Security by Douglas Crockford
Ajax Security by Douglas Crockford
- The browser is not a safe programming environment.
- An attacker can load additional, external scripts and make requests of your server.
- An attacker can see everything your users see.
- They can send that information to any server in the world.
- These are not new problems.
- How you encode data can prevent a lot of common/simple issues i.e. convert < to <.
- JavaScript’s global object is the root of all XSS (cross site scripting) attacks.
- The DOM is another source. All nodes are linked to all other nodes on the page and to the network.
- If code is clean and readable, it is less likely to contain insecurities.
- JSLint.com is a tool to define a professional subset of JavaScript that will help identify insecurities.
- Web 2.0:
- Mashups are a great innovation, but are insecure.
- Advertising is a mashup.
- Competition to displace the traditional web:
- Silverlight
- Adobe AIR
- JavaFX
- 3-prong strategy to fix the web:
- Safe JavaScript subsets: by using JSLint and ADsafe.
- Small browser improvements: event simple improvements can take a long time to distribute.
- Massive browser improvements.
- We need to replace JavaScript and the DOM with something more secure e.g. a secure subset of JavaScript.
- Be rigorous in your coding practices to help your security measures.
Posted by Jeff on 31/01/08 at 12:45 pm
Please close this window manually.