On 2010-06-13, at 11:20 AM, Evan Gilbert wrote:
>
>
> On Sun, Jun 13, 2010 at 8:18 AM, Eran Hammer-Lahav <e...@hueniverse.com>
> wrote:
> Using JSON in the end-user authorization endpoint response is still something
> we need to discuss. In the web server flow, it makes more sense to use
> form-encoded because the URI is processed by a typical query processor
> (automatic in every web server). In the fragment, it is a question of
> preference, and I was told that there are many benefits to using JSON. I
> think Facebook uses JSON in such a way.
>
>
> However, there is still value in using JSON across all server responses
> because it allows returning the same structured data.
>
>
> Can you explain the XSS hole from parsing a random JSON string?
>
>
> Naive processor calls:
> var href = document.location.href;
> var jsonBlob = href.substring(href.indexOf('#'), href.length)
> var userData = eval(jsonBlob);
>
> This code would allow executing arbitrary code by sending a user a link,
> which could, for example, steal your cookies on a site.
>
> The fix is just a really complicated RegEx match - here is sample code from
> Shindig that does this correctly - but I would worry that implementers would
> do the simple thing and just eval the JSON. It also seems like a sign of a
> design issue if the spec requires this regex.
If a response from the AS is untrusted, there are much bigger issues at stake.
... or am I missing an obvious attack where random JSON would get sent to the
Client?
-- Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
