[OpenAjaxSecurity] Google has posted an article on Ajax security

Jon Ferraiolo jferrai at us.ibm.com
Wed Apr 4 12:53:10 PDT 2007

Thanks for referencing the MS posting.

I read through the JavaScript hijacking article and I think it throws a
spotlight on just a couple of issues among many. For the issues pointed out
in the article, there are techniques to address the potential problem, and
ASP.NET uses some of those techniques.

The question for the security task force is what role OpenAjax should play.
Here are some options:

(1) We could play an educational role. There are known techniques for many
of the most well-known Ajax vulnerability issues. OpenAjax Alliance could
create white papers or web pages that describe these vulnerabilities and
techniques for addressing them (or link to other sources which provide the

(2) We could define a set of Ajax security best practices as part of our
OpenAjax Conformance trust brand. In order for products to claim OpenAjax
Conformance, they would have to support our security-related best

(3) We could play a role in improving the security infrastructure of the
Web. Maybe there are improvements to the browser or server technologies
which would help with security issues. (One example might be federated

I don't have an opinion yet, but my instincts are that there is something
we can do around (1) and (2) at least.


             Bertrand Le Roy                                               
             microsoft.com>                                             To 
             Sent by:                  OpenAjax Alliance Security Task     
             security-bounces@         Force <security at openajax.org>       
             openajax.org                                               cc 
             04/04/2007 11:48          Re: [OpenAjaxSecurity] Google has   
             AM                        posted an article on Ajax security  
             Please respond to                                             
             OpenAjax Alliance                                             
               Security Task                                               
             <security at openaja                                             

FYI, here’s the Microsoft answer on the JSON hijacking vulnerability that
made the news yesterday:

From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Monday, April 02, 2007 4:07 PM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Google has posted an article on Ajax security

Google has posted an article on Ajax security:

security mailing list
security at openajax.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic15030.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment-0002.gif 

More information about the security mailing list