Web Info & Tutorials

Categories
Archives
Calendar
February 2007
M T W T F S S
« Jan   Aug »
 1234
567891011
12131415161718
19202122232425
262728  
Sponsors
Contributors
Search
Recent Posts
February 8th, 2007

CSRF PROTECTION IDEA

By admin

Joe Walker has an idea for CSRF protection. Will it work?

There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted window.open() etc. As far as I know XHR is not one of these, because cross-domain rules kick in before the request is sent and not when the reply is read.

Both iframe and XHR will allow you to construct POST requests, the other attack mechanisms are restricted to GET only. With the iframe method, you use some DOM scripting to create a form that points to an iframe. This implies that only form-formatted data can be sent over an iframe POST request.

So in the Ajax world, it might be possible to have a CSRF-safe application that works simply by insisting on POST, and denying anything that is application/x-www-form-urlencoded. Clearly this technique won’t work for non Ajax requests because it requires the browser to use XHR.

Posted in Ajax | Comments Off
February 8th, 2007

DELVING INTO JAVASCRIPT’S PROTOTYPE MEMBER

By admin

Raphael Bauduin has been playing with the Javascript prototype member in order to get an Understanding of Javascript’s prototype member.

After he saw Doug Crockfords Advanced JavaScript presentation he cracked open Rhino and started playing.

Take a peak at the ride:

PLAIN TEXT
JAVASCRIPT:
  1.  
  2. second_hoozit.toString                //sun.org.mozilla.javascript.internal.InterpretedFunction@1bd4722
  3. second_hoozit.__proto__.toString //sun.org.mozilla.javascript.internal.InterpretedFunction@a3bcc1
  4. Hoozit.prototype.toString            //sun.org.mozilla.javascript.internal.InterpretedFunction@a3bcc1
  5. my_hoozit.__proto__.toString     //sun.org.mozilla.javascript.internal.InterpretedFunction@c51355
  6.  
Posted in Ajax | Comments Off
February 8th, 2007

SHAKESPEARE SONNET SHAKE-UP

By admin

Jim Yagmin has created a recreation app that uses Ajax titled the Shakespeare Sonnet Shake-up.

The place allows users to rearrange the lines of Shakespeare’s sonnets to create a “sonnet remix” - an all newborn poem cursive using lines crossways some of Shakespeare’s sonnets. The information understands the fit plot of a sonnet, and module exclusive exhibit matched rhymes where appropriate. A recreation agency for would-be poets, students of the sonnet form, and some follower of Shakespeare!

Shakespeare Sonnet Shake-up

Posted in Ajax | Comments Off
February 8th, 2007

YAHOO! PIPES: AJAX MASHUP BUILDER

By admin

Yahoo! has a new service called Pipes that aims to make it easy to build mashups:

Pipes is a hosted service that lets you remix feeds and create new data mashups in a visual programming environment. The name of the service pays tribute to Unix pipes, which let programmers do astonishingly clever things by making it easy to chain simple utilities together on the command line.

The UI is a rich Ajax application using YUI of course. It is the kind of UI that feels like Flash, but then you do a view source and you see:

PLAIN TEXT
JAVASCRIPT:
  1.  
  2. <script type="text/javascript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo-dom-event_2.1.2.js"></script>
  3. <script type="text/javascript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/connection_2.1.2.js"></script>
  4. <script type="text/javascript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/animation_2.1.2.js"></script>
  5. <script type="text/javascript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/dragdrop_2.1.2.js"></script>
  6. <script type="text/javascript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/common/widgets/2/logger/logger_2.1.2.js"></script>
  7. <script type="text/javascript" src="/js/maxwell.js"></script>
  8.  

Is Maxwell the codename?

We are seeing more and more applications in this domain (e.g. Ning, and other systems coming up).

Yahoo! Pipes

Posted in Ajax | Comments Off

Web Info & Tutorials is Hosted by Chaaban