March 5, 2009 - 19:40 UTC - Tags: web2.0 trust mashup
JSONp combined with dynamically added script tags is becoming a popular technique for bringing in external content. However it has some important security implications.
The same origin policyThe same origin policy is implemented in browsers to protect javascript from stealing data from other windows/frames/iframes/resources, and is an important security measure. Currently the same origin policy allows AJAX and javascript access only if both origin and target are on the same port, protocol and host. It is however possible to allow javascript access to other servers on the same domain, by setting the document.domain property. This will soon be allowed for AJAX as well.
JSONp hijackingJSONp is prone to hijacking. By using an XSRF-attack, an attacker can gain the same access as the victim. All the attacker has to do, is to add the same script tag as the original application, to a site the attacker owns, and define a callback that steals the data.
JSONp and dynamically added script tagsWhen you are using JSONp, the javascript files specify a callback and data (in JSON format). By appending new script tags, the web site can allow data to be downloaded from other sources, and thus in a controlled way circumventing the same origin policy. This can be used to add content from sites such as flickr.
External script tags and trustWhen you are adding a script tag to an external server (to add pictures from flickr, run statistics from google analytics, or add maps or ads from google), you are actually allowing that script to run under the context on your site. What this basically means, is that you are allowing them to do cross site scripting. The scripts can do whatever they want in the context of the browser. They can do keylogging, steal data or change the content of your site.
Adding a script tag to an external server implies trust, and this is something you need to be aware of and make conscious choices about. This is especially true when you are running them under SSL, or when users are logged in.
But wait a minute - don't you have ads from google on your site?Yes, I do. All the data on my blog is available to everyone anyways, and I've decided to trust google to not harm my page.
Do you trust your external scripts?