struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Grobmeier <grobme...@gmail.com>
Subject Re: Comments in JSON
Date Sun, 10 Jul 2011 08:34:45 GMT
>> - don't use javascript arrays to return as a json string
>
> It really doesn't matter if it's an array or object, if it's valid json that
> the browser will attempt to execute it's vulnerable.

http://haacked.com/archive/2009/06/25/json-hijacking.aspx
"The fact that this is a JSON array is important. It turns out that a
script that contains a JSON array is a valid JavaScript script and can
thus be executed. A script that just contains a JSON object is not a
valid JavaScript file."

Maybe there are other exploits, but only know what you sent as links.
And those are saying you need a JSON array because JSON objects are
not valid js statements.


>> You mentioned to put everything into a js comment. This breaks the
>> protocol definition and will cause jQuery to fail (and probably
>> others).
>
> If it's doing XHR, I'm certain you can insert a filter to make it work
> either way, but making the result configurable doesn't seem to be an
> unreasonable request.  I still suggest that the default behavior is to
> protect users' data.

I just checked: http://api.jquery.com/jQuery.ajax/
jQuery does XHR (wrapped in jqXHR object), but I would not have a clue
how I could remove that comments. For sure this issue would drive me
crazy.

It is a more philosphical debatte. Should a framework provide
standards and the user decides how he applies security? Or does the
framework decide between lots of options about the users security and
break the standards?

As a Struts user, this are my expectations:

If you choose the latter one (even when configurable) you should
provide information on what you have done, why it is done and how you
can work with this security standard in common tools like jQuery,
Prototype, Dojo etc. I, as a user, want to make my way quick through
everything. Sometimes I don't care on security (prototype), sometimes
it is not necessary (internal app, non sensitive data). If I care, I
can always read the security docs of Struts.

If you choose to stick with standards, you should write a page about
it and the user then needs to learn himself how he can achieve this.

As you have guessed, I am more the "standards and security docs" guy.

>> In addition a Struts json plugin should allow crossdomain ajax by
>> default for POST only, GET should be enabled by user interaction.
>
> The plugin doesn't care, it's the configuration that determines when you use
> the interceptor or result.

Is the configuration "POST" or "GET" by default? Or must it be
configured in any case by the user?

Cheers
Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message