[12:59:08 CDT(-0500)] <EricDalquist> freaking javascript
[12:59:09 CDT(-0500)] <EricDalquist> http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
[12:59:55 CDT(-0500)] <athena> evil
[13:00:17 CDT(-0500)] <athena> probably still need to talk about what we want to do for REST feed security
[13:00:28 CDT(-0500)] <EricDalquist> I'm doing more looking into CSRF protection for a portlet I'm working on here
[13:00:38 CDT(-0500)] <EricDalquist> and finding all sorts of badness that can be done
[13:00:42 CDT(-0500)] <athena> :/
[13:00:56 CDT(-0500)] <EricDalquist> primarily because JS is so flexible
[13:01:09 CDT(-0500)] <athena> yeah
[13:14:09 CDT(-0500)] <EricDalquist> hrm ok I re-read that looks like if you do true json
[13:14:10 CDT(-0500)] <EricDalquist> and have {} be your top level element the data is safe
[13:14:11 CDT(-0500)] <EricDalquist> it isn't safe when the top level element is an []
[13:14:25 CDT(-0500)] <athena> gotcha
[13:14:30 CDT(-0500)] <athena> don't know that it's even possible to make it unsafe using the spring json view then
[13:14:37 CDT(-0500)] <EricDalquist> I don't think it is
[13:14:39 CDT(-0500)] <athena> yeah
[13:14:40 CDT(-0500)] <athena> think the view requires a map
[13:14:49 CDT(-0500)] <EricDalquist> http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/json/MappingJacksonJsonView.html#setPrefixJson(boolean)
[13:14:50 CDT(-0500)] <EricDalquist> interesting feature
[13:18:02 CDT(-0500)] <EricDalquist> interesting, another mitigation approach is to look for "Content-Type: application/json" in the request
[13:18:12 CDT(-0500)] <EricDalquist> that is never set by a browser when making a request from a <script> tag
[13:18:26 CDT(-0500)] <EricDalquist> and in that case just throw a 400 class error
[13:28:16 CDT(-0500)] <athena> interesting
[13:28:32 CDT(-0500)] <athena> that seems like a workable approach
[13:28:55 CDT(-0500)] <athena> i like these solutions that don't seem to impact things like cachine
[13:28:57 CDT(-0500)] <athena> er, caching
[13:33:43 CDT(-0500)] <EricDalquist> yeah
[13:36:43 CDT(-0500)] <EricDalquist> the only down side of that one is trying to view the JSON response directly in a browser would get you the unauthorized error
[13:43:09 CDT(-0500)] <athena> hm, which one would?
[13:43:33 CDT(-0500)] <EricDalquist> the server checking the accept or content-type headers on the requet
[13:44:01 CDT(-0500)] <EricDalquist> the point of it is to make sure your JS always sets the json content type and accept headers
[17:35:35 CDT(-0500)] <rickard> holdorph: You there?
[17:36:06 CDT(-0500)] <holdorph> partially (somewhat busy in another window, but will respond here as I'm able)
[17:36:39 CDT(-0500)] <rickard> Ok. Sorry to bother you, but I'm stuck on an XSL/XPath issue that you might be able to help me with.
Page Comparison
General
Content
Integrations