[Laszlo-user] Perl Catalyst
P T Withington
ptw at openlaszlo.org
Mon Jun 4 10:38:02 PDT 2007
On 2007-06-04, at 11:24 EDT, Henry Minsky wrote:
> JSON will of course parse directly using eval() in DHTML.
> Loading of JSON also is currently free of the
> security restrictions that XMLHTTPRequest has , which allows the
> client more
> power to access 3rd party services without
> needing to go through a proxy server on the host from which the app
> was
> loaded (which could be a good thing or bad thing, depending on how you
> feel...)
Most likely a bad thing, as discussed [here](http://
www.fortifysoftware.com/advisory.jsp).
For that reason, we probably want to use Oliver's parser for both
runtimes, and want to ensure the json data is _not_ directly
evaluable, as previously discussed in this thread:
On 2007-04-03, at 07:06 EDT, P T Withington wrote:
> 1) Your server has to protect itself from [CSRF](http://
> en.wikipedia.org/wiki/Cross-site_request_forgery) attacks.
>
> 2) You should not deliver your data as executable code, since
> anyone could then load it using a <script> tag.
[...]
>> As annoying as it is, using Flash allows you to be more secure.
>
> Because it enforces a cross-domain policy on both data and code.
> DHTML only enforces such a policy on data. Hence, if you deliver
> your data as code, you run the risk of it being stolen.
More information about the Laszlo-user
mailing list