23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

(mesch) Steffen Meschkat
Tag 2
Raum Saal 2
Beginn 12:45
Dauer 01:00
ID 1568
Veranstaltungstyp Vortrag
Track Science
Sprache englisch


Cross Site Scripting and Client Side Web Services

JSON RPC is a recently fashionable buzzword in the AJAX context. This lecture explains its principles, specifically the same origin policy for cross site scripting and its relation to JSON RPC, and demonstrates the essential implementation details using the example of the geocoding service in the google maps API.

The collection of technologies on which modern web applications are based is nowadays summarily referred to as AJAX, or "Asynchronous JavaScript and XML". Interestingly, the use of XML as the data format for the transfer between client and server is not only unnecessarily complicated, but in its usual incarnation as XMLHttpRequest it is also subject to restrictions that prevent the direct use of web services from the client side of the web application.

A natural alternative to the transport of XML data structures though the XMLHttpRequest API is the transport of literal JavaScript expressions (nowadays also called JSON, or "JavaScript Object Notation") through dynamically created SCRIPT elements. We discuss practical aspects of the implementation of this approach and the consequences for architecture and software design of web applications.

Because the circumvention of restrictions that were originally meant to maintain security might be frightening at first sight, we recapitulate the principles on which cross site scripting restrictions are based, and we discuss why their circumvention for the purpose of JSON/SCRIPT based data transport doesn't infract the security of a web application.

Anhängte Dateien