I'm gonna have to think about this one: csej (Cross-Site Evilness with JSON) makes a good point about the potential for abuse that can occur in the following situation:
1) You are logged into a private, AJAX-enabled site in one tab
2) You visit a bad guy in another tab
Traditionally, the bad guy could cause your browser to make an authenticated request to the private site, but the content of the response would not be visible to his script, because it would be in an iframe.
I'd like to see a demo to prove that xmlHttpRequest() will send the session cookie for the private site with a request that originated on a page controlled by bad guy.
Even if it doesn't work as described, it's close enough to warrant the use of a shared secret besides a session cookie when transmitting private data.
By Chris Snyder on April 11, 2006 at 1:01am