[OpenAjaxSecurity] Google has posted an article on Ajax security
Jon Ferraiolo
jferrai at us.ibm.com
Wed Apr 4 12:53:10 PDT 2007
Bertrand,
Thanks for referencing the MS posting.
I read through the JavaScript hijacking article and I think it throws a
spotlight on just a couple of issues among many. For the issues pointed out
in the article, there are techniques to address the potential problem, and
ASP.NET uses some of those techniques.
The question for the security task force is what role OpenAjax should play.
Here are some options:
(1) We could play an educational role. There are known techniques for many
of the most well-known Ajax vulnerability issues. OpenAjax Alliance could
create white papers or web pages that describe these vulnerabilities and
techniques for addressing them (or link to other sources which provide the
details).
(2) We could define a set of Ajax security best practices as part of our
OpenAjax Conformance trust brand. In order for products to claim OpenAjax
Conformance, they would have to support our security-related best
practices.
(3) We could play a role in improving the security infrastructure of the
Web. Maybe there are improvements to the browser or server technologies
which would help with security issues. (One example might be federated
authentication.)
I don't have an opinion yet, but my instincts are that there is something
we can do around (1) and (2) at least.
Jon
Bertrand Le Roy
<Bertrand.Le.Roy@
microsoft.com> To
Sent by: OpenAjax Alliance Security Task
security-bounces@ Force <security at openajax.org>
openajax.org cc
Subject
04/04/2007 11:48 Re: [OpenAjaxSecurity] Google has
AM posted an article on Ajax security
Please respond to
OpenAjax Alliance
Security Task
Force
<security at openaja
x.org>
FYI, here’s the Microsoft answer on the JSON hijacking vulnerability that
made the news yesterday:
http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Monday, April 02, 2007 4:07 PM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Google has posted an article on Ajax security
Google has posted an article on Ajax security:
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic15030.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment-0002.gif
More information about the security
mailing list