[OpenAjaxSecurity] Using .CSS as payload for secure cross site communication

Gideon Lee glee at openspot.com
Sat Sep 29 11:26:26 PDT 2007


This is the idea I talked about in my last response to Sumeer on the discussion os SMash.  For those who somehow have not got that email: essentially, the hack can summarized as a secure interim replacement for JSON using css as payload, before HTML5 gives us secure cross-site communication.  For the purpose of SMash (which too can be seen as a secure mashup enabler until something like that appear natively in the browsers), this can complement as a data performance helper.  The reason is that most web widgets receive data from a server anyway.  So we can use SMash to do the initial communication, and this to pump large data payload across domain.  This proposal can also be used as basis for an alternative transport to XHR for the server-side hub work which Greg Wilkins is leading.

Even though it works on the few browsers I tested, I'm not absolutely sure if it addresses all security issues. I'd appreciate thoughts from all of you.  Thank you very much.

Gideon Lee


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070929/db4bf7f0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XDDE-S.doc
Type: application/msword
Size: 35328 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070929/db4bf7f0/attachment-0001.doc 

More information about the security mailing list