Ah, XSS -- of course. Please excuse my temporary lapse of security-awareness. -Daniel
-----Original Message----- From: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Chris Steipp Sent: Wednesday, May 16, 2012 3:28 PM To: Wikimedia developers Subject: Re: [Wikitech-l] reasons for api json callback restrictions
Hi Daniel,
The restrictions prevent a class of attacks that go by the name "javascript hijacking" [1] or "xssi" [2]. This is where a malicious website (evil.com) includes the json (wrapped in the callback) from a <script src=some_url /> tag. The Javascript rules say that if evil.com included the javascript file from a script src link, then any javascript on the page (written by evil.com) has full access to the variables and javascript code on the page. So evil.com could send the tokens off to an attacker for use, or it could do a csrf attack right there from evil.com. GMail was bit by this a few years ago [3].
Hopefully that makes sense, but let me know if you want any more details!
Chris
[1] - http://en.wikipedia.org/wiki/JavaScript#Cross-site_vulnerabilities [2] - http://google-gruyere.appspot.com/part3 [3] - http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-...
On Wed, May 16, 2012 at 11:27 AM, Daniel Renfro drenfro@vistaprint.comwrote:
Can someone explain the reason for the limitations for the JSON callbacks? I'm sure there are good reasons, but they're nonobvious to me. See: < https://www.mediawiki.org/wiki/API:Data_formats#JSON_callback_restrictions >
-Daniel (User:DanielRenfro)
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l