Cross Site IntegrationCross Site Integration

“mashups”cross site scripting

Server SideServer code fetches data or services

Has little to do with this course

Can involve XML or SQL to remote servers

Data may include HTML

Data may include javascript

Man-in-the-middle attacks?

3rd PartyDo you trust them?

When they update will it break you?

When they go broke will it break you?

Do they send any javascript code or URLs used in links?

javascript can do ANYTHING to you

URLs can send people to fake sites

AJAXprotocol is XML (SOAP)

data is often XML

Based upon hack of invisible frames

HTML pages read by javascript

Most often used in a framework which just lifts HTML fragments from the data

AJAXSecurity limitations are similar to javascripting frames

Same website policy!

can’t load external data

server-side data relays

Easy access to XML data sources

XML is powerful…

Examples?Libraries are always used: jQuery, etc

Requires server side program

Requires some XML data

this could be a minimal wrapper

http://www.w3schools.com/AJAX

http://www.ajaxdaddy.com

IssuesDO NOT OVER DO IT!

High server load / High bandwidth

slow XML over slow HTTP

Server relay needs bandwidth

Utilizing XML may be work

XML processing is cpu intensive

3rd PartyDo you trust them?

When they update will it break you?

When they go broke will it break you?

Do they send any javascript code or URLs used in links?

javascript can do ANYTHING to you

URLs can send people to fake sites

Javascript

Almost no security limitations

exec() of code can be limited to making objects

JSON (JavaScript Object Notation)

easier, smaller, faster than XML

Code is more powerful / flexible

JSONFor speed and size most use JSON

code can be written in JSON

most code libraries are in JSON

APIs not uniform!

Heavily depend on browser garbage collection - once script is loaded you can’t unload it

Variable Methodvar o = {json &could include code};

var x = “stringified code”;

var loaded=1;

loading function looks for loaded==1

o: loop object & copy or exec

x: exec() runs the string

Wrappedjavascript code sent as string data

wrap in HTML (invisible frame or part of a visible frame)

wrap in AJAX

This delays running the SCRIPT so you can “securely” exec it or parse it

Library StyleProvides a set of functions to do what needs to be done

often handle loading of JSON (or AJAX)

Function parameters used for customization

CSS of the generated HTML

Exampleshttp://disqus.com

Online comments, no javascript API

CSS to format, just a SCRIPT file

http://www.google.com/ig/directory?synd=open

Google gadgets js scripts

Some have API

API/Globals/QueryAPI- their javascript interface (trust?)

You call their functions with settings

Globals- you define objects with the settings before running their code

Query - you send settings in the Query part of requesting the data

3rd PartyDo you trust them?

When they update will it break you?

When they go broke will it break you?

Do they send any javascript code or URLs used in links?

javascript can do ANYTHING to you

URLs can send people to fake sites

Google Maps1st to popularize rich javascript applications

Has a Javascript API - add your own points on the map

Was early to popularize “mashups” combining datasets with location datahttp://code.google.com/apis/maps/documentation/javascript/

Plug-ins

Flash, Silverlight, A/V, ActiveX

Browser plugs have little security

Plug-ins may have javascript APIs

Plug-ins may have their OWN scripting (flash uses javascript)

ExamplesYoutube embedded

Paste-in HTML code

Basically its a flash plug-in embed

External video / audio content

Quicktime, <video>, etc

“super” cookies - use plug-ins to circumvent privacy