Ah, XSS -- of course. Please excuse my temporary lapse of security-awareness.
-Daniel
-----Original Message-----
From: wikitech-l-bounces(a)lists.wikimedia.org
[mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Chris Steipp
Sent: Wednesday, May 16, 2012 3:28 PM
To: Wikimedia developers
Subject: Re: [Wikitech-l] reasons for api json callback restrictions
Hi Daniel,
The restrictions prevent a class of attacks that go by the name "javascript
hijacking" [1] or "xssi" [2]. This is where a malicious website (
evil.com)
includes the json (wrapped in the callback) from a <script src=some_url />
tag. The Javascript rules say that if
evil.com included the javascript file
from a script src link, then any javascript on the page (written by
evil.com)
has full access to the variables and javascript code on the page. So
evil.com could send the tokens off to an attacker for use, or it could do a
csrf attack right there from
evil.com. GMail was bit by this a few years
ago [3].
Hopefully that makes sense, but let me know if you want any more details!
Chris
[1] -
http://en.wikipedia.org/wiki/JavaScript#Cross-site_vulnerabilities
[2] -
http://google-gruyere.appspot.com/part3
[3] -
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques…
On Wed, May 16, 2012 at 11:27 AM, Daniel Renfro <drenfro(a)vistaprint.com>wrote;wrote:
Can someone explain the reason for the limitations for
the JSON callbacks?
I'm sure there are good reasons, but they're nonobvious to me.
See: <
https://www.mediawiki.org/wiki/API:Data_formats#JSON_callback_restrictions >
-Daniel (User:DanielRenfro)
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l