a memo

Ajax Considered Harmful?

I'm gonna have to think about this one: csej (Cross-Site Evilness with JSON) makes a good point about the potential for abuse that can occur in the following situation:

1) You are logged into a private, AJAX-enabled site in one tab

2) You visit a bad guy in another tab

Traditionally, the bad guy could cause your browser to make an authenticated request to the private site, but the content of the response would not be visible to his script, because it would be in an iframe.

But if the request is sent by xmlHttpRequest() and a JSON object or a collection of JSON objects is requested, then the response will be visible to bad guy's JavaScript... hmm.

I'd like to see a demo to prove that xmlHttpRequest() will send the session cookie for the private site with a request that originated on a page controlled by bad guy.

Even if it doesn't work as described, it's close enough to warrant the use of a shared secret besides a session cookie when transmitting private data.

By Chris Snyder on April 11, 2006 at 1:01am

jump to top