| |||||||||||||
|
| |||||||||||||
AJAX and securityAJAX and securityPosted Sep 8, 2006 15:32 UTC (Fri) by jbellis (guest, #14804)In reply to: AJAX and security by dlang Parent article: AJAX and security
"With AJAX, those 'internal' functions are being called over the Internet by your app running on the client."
If your framework really exposes all internal functions to AJAX callers, you should use a better framework.
(If not, such hyperbole is silly.)
(Log in to post comments)
AJAX and security Posted Sep 8, 2006 16:03 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link] I'm not saying that ALL of your internal functions are exposed, but the various things that are called by the browser javascript to perform actions are viewed by most ajax folks as being internal functions
i.e. there is never any intention of a browser connecting to them directly, only the javascript that's loaded from another page ever connects to it. and the viewpoint is that since you control that javascript you control the input to those routines.
these are the 'internal' functions that are exposed.
really good architects won't consider these internal, but far to many people do :-)
AJAX and security Posted Sep 8, 2006 22:34 UTC (Fri) by mrshiny (subscriber, #4266) [Link] But frankly this is not a new phenomenon. There have been tons of sites in the past that have done things like generate SQL on the client, or store permissions in cookies, or other stupid things. Ajax changes nothing; saying that there are security issues with Ajax is misleading.
The article seems to imply (in its headline mainly) that Ajax has security problems, and conversely that not using Ajax is secure. This article would have been better conceived as an article about web programming, with only a single paragraph dedicated to Ajax in particular. The security risks are real; let's tell all web programmers about them, instead of scaring people away from Ajax, or giving non-Ajax users a false sense of security.
|
|
||||||||||||