JavaScript mashups raise application security issues; require caution |
 |
By Jack Vaughan, Correspondent
05 Nov 2007 | SearchSoftwareQuality.com |
|
|
The surge in use of JavaScript and mashups puts greater stress on developers to achieve security within the common Web browser. Even new tools to improve Asynchronous JavaScript and XML (Ajax) interface building can aggravate security problems if they are not handled correctly, according to Douglas Crockford, evangelical architect at Yahoo and creator of JavaScript Object Notation (JSON).
|
|
|
|
|
Mashups are cool. Unfortunately, mashups are insecure.
Douglas Crockford
Evangelical architect, Yahoo
|
|
|
|
|
|
|
|
|
|
Mashups combine different Web pages within a single view. But they are inherently insecure. "If there is script from two sources, it isn't secure," Crockford told attendees at last month's The Ajax Experience conference in Boston.
"Mashups are cool. Unfortunately, mashups are insecure. They have access to any confidential information," he said.
Mashups are not entirely new. The familiar rotating advertising banners that grace Web pages represent a form of mashup. Individuals working with those environments have engineered alternatives to plain JavaScript, with security as the goal. Crockford advises developers seeking safety to refer to ADsafe for guidance on mashup methods.
ADsafe offers a safe subset of JavaScript for Ajax developers. Among the features the ADsafe crew has removed from vanilla JavaScript are access to the built-in functions and access to global variables. As well, Crockford and ADsafe both advise restricting use of 'Eval' in JavaScript application building.
The cause of the problem
At the outset, the browsers themselves were poorly designed, and JavaScript is not a secure programming language, cautioned Crockford. But JavaScript is not completely unique in this. "There are very few secure programming languages," he said.
"The problem with mashups is that all scripts look the same to the browser. Virtually all languages suffer from the same problem," Crockford added. This was not anticipated by the original browser makers. "There was no idea in the past that mashups would exist," he said. And scripts that leak from one mashup module to another are a real issue.
Crockord said the Document Object Model (DOM) applied in so many JavaScript applications today is basically insecure. JSON, the object notation Crockford devised, is safe when used correctly, he said.
Developers mindful of security should be aware that JavaScript dumps all scripts into a common global space, so any information in any component is visible to any other component. "If any application gets access to any element in the DOM, it gets access to anything in the DOM. HTML reads it all," Crockford said.
While JSON has some inherent safety, developers can mis-apply it.
"A favorite way of misusing JSON is the Script Tag Hack," Crockford said. "Scripts, strangely, are exempt from the Same Origin Policy."
[Going back to Netscape Navigator 2.0, the Same Origin Policy prevents browser documents from one origin from getting or setting properties of a document from a different origin.]
Crockford also advised developers not to wrap JSON text in comments. In turn, he recommended that developers use the string.parseJSON method. When this parsing is employed, "evil script" will cause a syntax error exception. That is preferable to some nefarious alternatives.
|
|
|
|
