0

I found this great tip via Google, and I am well familiar with the technique of populating divs via Javascript. What I'm wondering is, is this a secure way of requesting Asynchronous page content or not? If not, what would be a "secure" solution for partial page loading?

Thanks so much :)

Improve this question
8
  • 1
    This question is confusing. "Better (and more secure)" than what? And what has asynchronicity to do with security? Commented Jul 14, 2011 at 16:58
  • I'm not sure what XSS prevention has to do with anything either; that can be a problem with any sort of HTTP transaction. Also, the "code behind" is going to be "obscure" simply because it lives on the server. To the extent that there's a URL to be posted to, it really makes little difference whether it's XHR or not (except possibly to some anti-CSRF schemes). Commented Jul 14, 2011 at 17:00
  • Mind you, I asked if there IS a more secure way. According to my Wrox boon on ASP.NET Security, it is possible to inject code into Javascript http requests, which makes sense to me since all client-side scripting is visible to the user. I don't see why my question is so confusing. Commented Jul 14, 2011 at 17:02
  • Again: a "more secure way" than what? Of course the question is not confusing to you. ;-) That proves nothing, since it is your question. Commented Jul 14, 2011 at 17:04
  • 2
    I'd have to agree with the others. It is hard to understand what you're really asking here. First off, the "great tip" link doesn't seem to have anything to do with your security question. Second, you ask if "this" is really a secure method and I don't know what 'this" method you're talking about as you don't describe it or include code samples and only have the one reference which has me confused about what method you're discussing. You can be defensive and insist that your question is clear, but you're unlikely to find help without clarification. Please try to clarify your question. Commented Jul 14, 2011 at 17:10

1 Answer 1

Reset to default
0

An Ajax call is a HTTP request.

The same security practices that are used for normal post and get applies to Ajax post and gets.

People freak out because I can see my Ajax call in Firebug and people can see the urls of the calls. Anyone can see your calls to backends with a simple proxy.

Only thing different is Ajax calls are more open to attack with XSS since people tend to shove whatever is in the response with innerHTML. Only way that really happens is if the server is compromised and sends down bad info or a man in a middle attack happens.

But when you look at it, the same thing can be injected with a normal get.

You should make sure you are still using authentication on the server for the Ajax backend calls, you should validate the data on the server, and add basic security checks on the client, and avoid eval() [use JSON.parse or JSON.js]

OWASP has some Ajax Security Guidelines.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

AWESOME!! Thank you so much. You exactly answered my question and spoke on issues I'm familiar with as well. I greatly appreciate it after receiving such rudeness from others. :)
@Chiramisu: Calm down. Nobody has been rude to you in the least bit.
@Chiramisu: You felt very attacked by what? Requests for clarification? By a stray down-vote on your very first SO question? Time for a reality check, me thinks. Read the comments you got again and tell me where anybody attacked you.
@Tomalak: Just forget it mate, it's not worth it. Cheers ;)
@Chiramisu You'd have a hard time answering that question anyway.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.