March 5, 2009 - 19:40 UTC - Tags: web2.0 trust mashup
JSONp combined with dynamically added script tags is becoming a popular technique for bringing in external content. However it has some important security implications.The same origin policy
JSONp is prone to hijacking. By using an XSRF-attack, an attacker can gain the same access as the victim. All the attacker has to do, is to add the same script tag as the original application, to a site the attacker owns, and define a callback that steals the data.JSONp and dynamically added script tags
When you are adding a script tag to an external server (to add pictures from flickr, run statistics from google analytics, or add maps or ads from google), you are actually allowing that script to run under the context on your site. What this basically means, is that you are allowing them to do cross site scripting. The scripts can do whatever they want in the context of the browser. They can do keylogging, steal data or change the content of your site.Adding a script tag to an external server implies trust
, and this is something you need to be aware of and make conscious choices about. This is especially true when you are running them under SSL, or when users are logged in.But wait a minute - don't you have ads from google on your site?
Yes, I do. All the data on my blog is available to everyone anyways, and I've decided to trust google to not harm my page.
Do you trust your external scripts?