struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <d...@newfield.org>
Subject Re: Comments in JSON
Date Sat, 09 Jul 2011 15:34:33 GMT
Below are a few (of many that I found with a simple google search) 
explaining the issue in detail.  Basically the problem is that <script 
/> tags don't abide by the same-origin policy, so if your response to a 
GET request is a valid json object, that data can be fetched by a script 
tag in pages on other sites, and then sent back to that other site 
without the user knowing.  Wrapping the response in a comment protects 
that data.

-Dale

http://directwebremoting.org/blog/joe/2007/03/06/json_is_not_as_safe_as_people_think_it_is_part_2.html

http://haacked.com/archive/2009/06/25/json-hijacking.aspx

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

http://www.yuiblog.com/blog/2007/04/10/json-and-browser-security/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message