Simon Willison’s Weblog

Subscribe

Items tagged javascript, security in 2010

Filters: Year: 2010 × javascript × security × Sorted by date


Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?

It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.

[... 105 words]

1:37 pm / 7th December 2010 / ajax, javascript, security, webdevelopment, quora

Why do some websites implement their logout link as a form post via JavaScript versus a plain old GET request?

Probably because if you implement logout as a GET action, I can force you to log out of a site by tricking you in to visiting a page with an <img src="http://yoursite.com/logout/" width="1" height="1"> element on it.

[... 64 words]

11:47 am / 16th October 2010 / javascript, rest, security, webdevelopment, quora

Why are XSS attacks spreading like fire these days?

XSS attacks are common and easy, and crop up all the time. What’s new is that the number of people who are aware of the potential for XSS worms has increased hugely, so when an XSS does crop up in something popular there’s a much higher chance of someone turning it in to a worm (as happened with Twitter the other day).

[... 96 words]

5:29 pm / 27th September 2010 / javascript, security, webapps, xss, quora

Why do some people disable JavaScript in their browser?

For security reasons.

[... 159 words]

1:37 pm / 25th August 2010 / csrf, javascript, privacy, security, xss, quora

Busting frame busting: a study of clickjacking vulnerabilities at popular sites (via) Fascinating and highly readable security paper from the Stanford Web Security Research group. Clickjacking can be mitigated using framebusting techniques, but it turns out that almost all of those techniques can be broken in various ways. Fun examples include double-nesting iframes so that the framebusting script overwrites the top-level frame rather than the whole window, and a devious attack against the IE and Chrome XSS filters which tricks them in to deleting the framebusting JavaScript by reflecting portions of it in the framed page’s URL. The authors suggest a new framebusting snippet that should be more effective, but sadly it relies on blanking out the whole page in CSS and making it visible again in JavaScript, making it inaccessible to browsers with JavaScript disabled. # 24th May 2010, 11:40 am

Types

Years

Months

Tags