On Fri, Mar 26, 2010 at 10:36 PM, Bill Moseley <[email protected]> wrote: >> A bit OT but: >> Is there any built in XSS protection built in some module in Catalyst? >> I was thinking something like auth tokens one can add to the html only >> known by the server and the loaded page, to protect private data sent >> by JSON. Or isn't that secure enough? > > You have an example of what you need to protect against? > If you are sending a JSON response to the client it's not really "private" > -- any more than the html response. Guess, I don't understand your > concern.
User data for instance, say I have an application which is password protected and I'm using the Authenticate/Authorize model coming with Catalyst. I then protect the user data with a session cookie making sure $c->user->address is shown and editable by the logged in user (based on the thought that only the user can send me the cookie). How do I protect that from another site with another tab? YUI.Get allows cross site requests, I haven't looked in too deep into it but when I take the url I see the javascript requests in gmail does and put it in a small YUI snippet will I get all my mail: https://mail.google.com/mail/?ui=2&ik=a_secret_token_or_my_id&view=tl&start=0&num=70&rt=h&search=drafts&zx=a_secret_token_or_my_id I've obviously removed the one or two variables google use to protect my data, which prevents another tab from actually getting more than my labels. Obviously what google has done here is using these tokens to protect me. If I don't use tokens (or some other scheme) can another site easily do the request to gmail and fetch all my mail, my contacts etc all because the browser allows a cross site script running and using the original cookies. To me it seems cookies (at least in FF 3.5.8) aren't worth anything to make sure the request is from a logged in user and not some random site the user has gone to while having a valid cookie. Or am I overly paranoid? If I'm not paranoid I'd like to do somthing like this in some_header.tt (or in a sandboxed YUI context): var GLOBAL_TOKEN = "[% c->auth_token %]"; and then in every request dealing with something I only want a logged in user to have access to require it to match what I've stored server side for this session. And again, I'm no security expert and this with javascript/browser lack of security is fairly new to me so I'm not at all betting my dirty undies that I'm correct. I'd be a lot happier if I'm not since this would add a lot of hassle. _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
