On Sun, Mar 28, 2010 at 7:12 AM, Jon mailinglists <jon.ml...@gmail.com>wrote:
> In my catalyst app I have this sub (not really, but this makes things > easier to follow): > > sub get_info : Local { > my ($self, $c) = @_; > > my $info = $c->user->member_info; > my $res = > 'MyNamespace.callback({"ResultSet":{"totalResultsAvailable":"73399","firstResultPosition":"0","totalResultsReturned":"20","Result":[{"Title":"'.$info->get_column('first_name').' > > '.$info->get_column('last_name').'","zip_code":"'.$info->get_column('areacode').'"}]}});'; > $c->response->body($res); > } > I think I get it now. I first thought you were talking about users adding javascript to pages you render -- that is, allowing someone to inject script onto your pages. (I'm hoping someone will jump in an correct anything I say wrong here -- which often seems like the best way to get a response here...) I think the short answer is, don't return JSONP -- don't return JSON wrapped in a function call. That's a way to bypass security provided by the same-origin policy. Let me restate what I think you are saying: 1. The "good site" (MY-CATALYST-SERVER in your example) returns the JSONP above as long as the user is logged in. By "logged in" that means the request includes a valid session id in the cookie. 2. In another tab of the same browser when viewing a page from " evil_empire.com" a request is made to http://MY-CATALYST-SERVER:3000/member/get_info. 3. That request will include the cookie required to gain access (and thus return private user data). 4. Javascript is returned that includes a call to a function passing the user's private data to that function. 5. evil_empire.com now has access to the user's name and zip code. Yes, this is true. This is a security hole. But by returning JSONP you gave away this access. JSONP is "application/javascript" -- and as such it can be loaded from any domain. Loading javascript is not limited by same-origin policy. (If it was then Content Delivery Networks would be of limited use.). Note, this has nothing to do with YUI.Get. evil_empire.com just needs to add a <script> tag to their page to fetch the JSONP from your app. YUI.Get just provides a dynamic way to accomplish that. Your application should only return data via JSON, not JSONP. For a script to read JSON data it needs to use XMLHttpRequest and that request is limited by the same-origin policy. That is, javascript running on evil_empire.com's page cannot do an AJAX request to your catalyst application. Hopefully, that's clear -- and correct. ;) -- Bill Moseley mose...@hank.org
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/