What is Digg?27 Comments
- gweedo767, on 10/12/2007, -0/+13Just because the page is asyncronious doesn't make it magically need different security considerations. You are still submitting data back to a server via POST or GET....the same security issues existed before and will continue to with AJAX.
--digg - OneZeroZeroOne, on 10/12/2007, -1/+11Wha..wha...whaaaaat....don't ever trust the user??? Always validate and scrub input? What is this new idea of which you speak?!
- kofspades, on 10/12/2007, -0/+9This is no different than securing a normal web application.
- merreborn, on 10/12/2007, -0/+5"Is that signed by a guy named digg or did you mean digg--?"
Both the prefix- and postfix- decrement operators decrement. It's just a question of wether they decrement before returning a value or not. - toconnor, on 10/12/2007, -0/+4Remove stupid comments like "Security with AJAX is of course an important consideration as it's asychronous". Then find and replace "AJAX" with another buzzword "web service", "SOA", "web site", "whatever", and you've read this article a dozen times before.
- merreborn, on 10/12/2007, -0/+3That only has to do with the client side. The client, in a web app, is out of your controll. It's the server end that _really_ needs securing.
- SimpleRules, on 10/12/2007, -0/+2I have found most AJAX apps to be accesible to those without Javascript and such, you just don't get that feature but you can still use the app over all.
AJAX security? All you need is common sense when handling GET & POST, thats not new. - Bogtha, on 10/12/2007, -0/+2This was lame when it was on Slashdot earlier, and it's still lame now. This has nothing to do with Ajax per se, the author seemingly sprinkled the buzzword all over the article just to get places like Slashdot and Digg to link to it.
- dave_colorado, on 10/12/2007, -0/+2merreborn is right. fyi, you can still use session based validation on the server with ajax.
- putnam, on 10/12/2007, -0/+2There sure are a lot of retards posting in his comments there on the blog. Read my post (Chris Putnam) for an example of sending a POST request behind the scenes and retrieving the result.
You're retarded if you think any kind of HTTP request is safe. And this really doesn't have a damn thing to do with AJAX. I'm so ***** sick of people tacking that word on to everything. Stop it. - wolever, on 10/12/2007, -0/+2Is it just me, or does a lot of his "security" come through the use of POST data? How is POST data _any_ harder to fake then GET data? Sure, it may make your life a _little_ easer, but there are some neat little tools out there like Tamper Data (tamperdata.mozdev.org/) which give you complete control over everything your browser sends...
If you're writing a secure site, security needs to be the first thing you think about. Its not something that can be added on later....
Just my 2c... - inactive, on 10/12/2007, -2/+3Is that signed by a guy named digg or did you mean digg--?
- JohnnySoftware, on 10/12/2007, -0/+1Isn't calling eval for the purpose of validating it a lot like shaking a suspicious package to see if there is a bomb in it, or lighting a match to check if the pilot light in the oven has gone out?
"The eval function... can compile and execute any JavaScript program, so there can be security issues. The use of eval is indicated when the source is trusted."
Calling the JSON.parse(...) method instead of the eval(...) function is what the site you refer to recommends. They say it checks to see that the Javascript contains only JSON.
I guess I could interpret what you wrote both ways; the wording is a little ambiguous. Either way though, that JSON.org website you pointed out is very handy - thanks. - ryan_merket, on 10/12/2007, -1/+2This is the future (or present?)... too many sites have huge AJAX security holes.
- ascheinberg, on 10/12/2007, -0/+1What post? Give us a link!
- nicodemas, on 10/12/2007, -1/+2Lame x2
As was said before, its the same as a normal get/post. - gweedo767, on 10/12/2007, -0/+1--digg means that I am decrementing the digg value prior to anything else occuring. I think this story is so worthless I want to make sure that my -1 occurs prior to any possible output or other arithmetic.
Thank you
-gweedo767
(that is a sign off) - inactive, on 10/12/2007, -2/+2Good point but when leaving comments, the more popular interpretation would be a signoff, or at least I believe it is. In that case signing as "digg" leads me to think someone is either stroking their ego, referring to themself as digg or ....nevermind don't know where i was going with that.
- jarjarbinks, on 10/12/2007, -1/+1man, I'm struggling with this guys English. Some please send him a tutor! :)
- inactive, on 10/12/2007, -0/+0Good point. Try doing just about, well, anything on digg with javascript disabled. You can still read everything though.
- lordatlas, on 10/12/2007, -0/+0Now I'm waiting for the day when developers start thinking about accessibility with AJAX. I wish we saw articles saying "Is your AJAX Application accessible enough?"
http://blog.fawny.org/2006/03/27/mesh2/ - inactive, on 10/12/2007, -1/+1How is this ANY different from standard HTML requests?
- jnorris441, on 10/12/2007, -1/+1"don't learn to hack, hack to learn"
In order to hack to learn, one must learn to hack correct? That's like saying "Don't learn to read, read to learn." I don't think many illiterates will be reading to learn, do you?
Or maybe it was just supposed to be a snappy tagline, and I missed the point. - andrewmurphy, on 10/12/2007, -1/+1A big step in the right direction would be validating anything you run through eval() to make sure its just JSON, and not malicious code... at least on the simplest level.
Luckily tools for just that already exist...
http://www.json.org/json.js
No this doesn't solve everything, but it does take care of a lot of problems. - nicodemas, on 10/12/2007, -2/+2Amen.
- myFriendDerrik, on 10/12/2007, -4/+0damn
- myFriendDerrik, on 10/12/2007, -5/+0[reply]
by SimpleRules
49 minutes ago
[comment buried,
show commenthide comment]
1 digg
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is