php - Is this ajax behavior normal, security-wise -

-

it seems i'm failing understand ajax security , it's not helping keep getting contradicting answers questions. did experiment.

i have js code on site1.com located @ http://site1.com/script.js. on server side, makes entry database doesn't return output. when call function site1.com, see entry logged in database expected. 

function enterdb(){   $.ajax({     async: false,     url: 'http://site1.com/test?format=json',     type: 'post',     data: { input: '1' },     success: function(resp) {        alert(resp);     }   }); }

i copied same js js file of othersite.com, located @ http://othersite.com/script.js see myself if log database. did not because don't want people playing ajax urls other external scripts. contradicts of answers read in previous qusetions

this answers matches result got

cross domain banned because of same origin policy.

but same answer said

your javascript making xhr , spoofing one, same , impossible differentiate (though can make harder).

so what's verdict? goal secure ajax urls they're not used external sites api dump data database.

short answer: you not safe against issue mention.

long answer:

given:

  • a — site control
  • b — site else controls
  • charlie — visitor site has credentials

your javascript making xhr , spoofing one, same , impossible differentiate (though can make harder).

this means can't tell difference between charlie visiting , charlie manually constructing http request access urls provide javascript access.

so what's verdict? goal secure ajax urls they're not used external sites api dump data database.

if charlie visits site b, site b can't read data site via charlie's browser (with charlie's credentials).

site b can cause request made site charlie's browser though (e.g. submitting invisible form invisible iframe js), site b cause data inserted. cross site request forgery, there ways defend against this.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more