Comments on: JSON and Browser Security

By: Douglas Crockford

Douglas Crockford — Wed, 05 Mar 2008 02:11:41 +0000

Closures are safe, but there is not a secure way to get the key into the closure. So no good.

By: Chas

Chas — Tue, 04 Mar 2008 22:31:16 +0000

So it would do no good to store the key in a closure?

By: Messages in a bottle » Blog Archive » Gravity never sleeps (notations that use eval)

Sat, 29 Dec 2007 02:40:15 +0000

[…] it, so that the developer doesn’t have to use eval. And last April, Doug Crockford argued in a piece on JSON and browser security that JSON is security neutral (as near as I can make out, because the security problem is in the […]

By: Kevin Hoang Le

Kevin Hoang Le — Fri, 17 Aug 2007 17:25:41 +0000

Douglas,
Great article. Everything is well explained, except I am still confused by the section “Don’t Send Data to Strangers” and your previous answer to TC.

Why am I confused?

1. So external scripts are dangerous, we hear that. But even if I do not include any external script, this still remains as a valid concern, right? Because someone evil do NOT really need me to include their evil scripts in order to steal information, they can just make the requests directly to my server? Without any form of authentication, my server cannot tell whether the request come from my page or anywhere else, and it’s bad if my server blindly return the JSON data to anyone, right?

2. If I understand correctly, the your proposed solution is something like this:

a. Have the server code authenticate the very first request. Assume valid credential, then create a secret and return along in the JSON payload.

b. In subsequent requests, have the server code authenticate using the secrets from previous responses and keep generate new secrets to send back in each response?

Thanks for clarifying.

By: Sivaraj

Sivaraj — Tue, 31 Jul 2007 08:32:55 +0000

I’ve some issues with JSON string.
can anyone tell me the reason for not allowing # and ;.

In my application I’ve have escape utility, which escapes all special character to a standard ECMA character. Which will be like “&#”+charCode+”;”

This works in all cases like string to XML, string to HTML and XML to html.

when i try to use JSON as my data interchange format, it is not tokenizing my string which has got ECMA characters.

Thanks,
Sivaraj.

By: Elliot Murphy 28:1 » Blog Archive » links for 2007-07-25

Elliot Murphy 28:1 » Blog Archive » links for 2007-07-25 — Wed, 25 Jul 2007 23:25:55 +0000

[…] JSON and Browser Security » Yahoo! User Interface Blog JSON is a data interchange format. It is used in the transmission of data between machines. Since it carries only data, it is security-neutral. The security of systems that use JSON is determined by the quality of the design of those systems. JSON itself […]

By: 开发者 » Blog Archive » 原创翻译：JSON和浏览器安全(作者：Douglas Crockford)

开发者 » Blog Archive » 原创翻译：JSON和浏览器安全(作者：Douglas Crockford) — Fri, 29 Jun 2007 13:23:29 +0000

[…] April 10, 2007 at 10:14 am by Douglas Crockford 翻译：Frank Cheung 文章出处：http://yuiblog.com/blog/2007/04/10/json-and-browser-security […]

By: Tom Metro

Tom Metro — Thu, 03 May 2007 03:09:17 +0000

The correct URL for the article mentioned in a comment above is:
http://www.port80software.com/200ok/archive/2007/03/15/29258.aspx

It basically says to incorporate rules on the server side to validate the referrer header as part of the authorization process.

However, I think this approach is equally vulnerable to an attack that exploits XSS to inject a rogue SCRIPT tag into the target application’s HTML. The rogue JavaScript will run in the application’s context, have access to its secretes, and requests it makes to your server (if well engineered) will be indistinguishable from legitimate requests.

-Tom

By: JP

JP — Fri, 20 Apr 2007 11:21:52 +0000

Tim, yup totally agree (the link above goes to my blog post about it), the nonce really is an excessive level of paranoia, which is probably only worthwhile for very specific applications (Amazon’s S3 as an example - and they don’t even do real server generated Nonce’s…but anyway). Some sort of per session key is probably enough for all applications.

By: Tim McCormack

Tim McCormack — Wed, 18 Apr 2007 14:31:38 +0000

jp, the reason you can’t do a “rolling nonce” (to coin a phrase) is that we’re dealing with asynchronous requests. You aren’t guaranteed a response (with new key) to occur before the next request.

Additionally, we should consider the spectre of multiple tabs or windows. New authentication keys must be shared between open views. (Cookie-based storage of authentication keys?)