Changeset 2126

Show
Ignore:
Timestamp:
01/11/07 07:43:01
Author:
miyagawa
Message:

add security doc

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved
  • Catalyst-View-JSON/trunk/lib/Catalyst/View/JSON.pm

    r2122 r2126  
    247247 
    248248By default it returns raw JSON data so your JavaScript app can deal 
    249 with using XMLHttpRequest calls. Adding callbacks to the API gives 
    250 more flexibility to the end users of the API: overcome the 
     249with using XMLHttpRequest calls. Adding callbacks (JSONP) to the API 
     250gives more flexibility to the end users of the API: overcome the 
    251251cross-domain restrictions of XMLHttpRequest. It can be done by 
    252252appending I<script> node with dynamic DOM manipulation, and associate 
     
    283283C<validate_callback_param> method in your View::JSON class. 
    284284 
    285 See Yahoo's nice explanation on 
    286 L<http://developer.yahoo.net/common/json.html> 
     285See L<http://developer.yahoo.net/common/json.html> and 
     286L<http://ajaxian.com/archives/jsonp-json-with-padding> for more about 
     287JSONP. 
    287288 
    288289=head1 INTEROPERABILITY 
     
    320321  var json = this.evalJSON(request); 
    321322 
     323=head1 SECURITY CONSIDERATION 
     324 
     325Catalyst::View::JSON makes the data available as a (sort of) 
     326JavaScript to the client, so you might want to be careful about the 
     327security of your data. 
     328 
     329=head2 Use callbacks only for public data 
     330 
     331When you enable callbacks (JSONP) by setting C<allow_callbacks>, all 
     332your JSON data will be available cross-site. This means embedding 
     333private data of logged-in user to JSON is considered bad. 
     334 
     335  # MyApp.yaml 
     336  View::JSON: 
     337    allow_callbacks: 1 
     338 
     339  sub foo : Local { 
     340      my($self, $c) = @_; 
     341      $c->stash->{address} = $c->user->street_address; # BAD 
     342      $c->forward('View::JSON'); 
     343  } 
     344 
     345If you want to enable callbacks in a controller (for public API) and 
     346disable in another, you need to create two different View classes, 
     347like MyApp::View::JSON and MyApp::View::JSONP, because 
     348C<allow_callbacks> is a static configuration of the View::JSON class. 
     349 
     350See L<http://ajaxian.com/archives/gmail-csrf-security-flaw> for more. 
     351 
     352=head2 Avoid valid cross-site JSON requests 
     353 
     354Even if you disable the callbacks, the nature of JavaScript still has 
     355a possiblity to access private JSON data cross-site, by overriding 
     356Array constructor C<[]>. 
     357 
     358  # MyApp.yaml 
     359  View::JSON: 
     360    expose_stash: json 
     361 
     362  sub foo : Local { 
     363      my($self, $c) = @_; 
     364      $c->stash->{json} = [ $c->user->street_address ]; # BAD 
     365      $c->forward('View::JSON'); 
     366  } 
     367 
     368When you return logged-in user's private data to the response JSON, 
     369you might want to disable GET requests (because I<script> tag invokes 
     370GET requests), or include a random digest string and validate it. 
     371 
     372See 
     373L<http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html> 
     374for more. 
     375 
    322376=head1 AUTHOR 
    323377