>> - don't use javascript arrays to return as a json string > > It really doesn't matter if it's an array or object, if it's valid json that > the browser will attempt to execute it's vulnerable.
http://haacked.com/archive/2009/06/25/json-hijacking.aspx "The fact that this is a JSON array is important. It turns out that a script that contains a JSON array is a valid JavaScript script and can thus be executed. A script that just contains a JSON object is not a valid JavaScript file." Maybe there are other exploits, but only know what you sent as links. And those are saying you need a JSON array because JSON objects are not valid js statements. >> You mentioned to put everything into a js comment. This breaks the >> protocol definition and will cause jQuery to fail (and probably >> others). > > If it's doing XHR, I'm certain you can insert a filter to make it work > either way, but making the result configurable doesn't seem to be an > unreasonable request. I still suggest that the default behavior is to > protect users' data. I just checked: http://api.jquery.com/jQuery.ajax/ jQuery does XHR (wrapped in jqXHR object), but I would not have a clue how I could remove that comments. For sure this issue would drive me crazy. It is a more philosphical debatte. Should a framework provide standards and the user decides how he applies security? Or does the framework decide between lots of options about the users security and break the standards? As a Struts user, this are my expectations: If you choose the latter one (even when configurable) you should provide information on what you have done, why it is done and how you can work with this security standard in common tools like jQuery, Prototype, Dojo etc. I, as a user, want to make my way quick through everything. Sometimes I don't care on security (prototype), sometimes it is not necessary (internal app, non sensitive data). If I care, I can always read the security docs of Struts. If you choose to stick with standards, you should write a page about it and the user then needs to learn himself how he can achieve this. As you have guessed, I am more the "standards and security docs" guy. >> In addition a Struts json plugin should allow crossdomain ajax by >> default for POST only, GET should be enabled by user interaction. > > The plugin doesn't care, it's the configuration that determines when you use > the interceptor or result. Is the configuration "POST" or "GET" by default? Or must it be configured in any case by the user? Cheers Christian --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
