Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best long term choice: JSONP vs EasyXDM

Tags:

security

jsonp

cross-domain

What is the best long term choice between JSONP and EasyXDM to allow a domain on http to talk to the same domain on https (cross-protocol)?

For example, I would like that http://mywebsite.com talks to https://mywebsite.com because the session cookie is only over https. I would like to display a user name on the http website without having that data being transferred over http.

EasyXDM is scaring me with security release and JSONP is not very clear on the security precautions.

like image 494
Malartre Avatar asked Sep 09 '11 14:09

Malartre

1 Answers

Disclaimer: I'm the main author of easyXDM.

It is actually not easy to answer this directly, as there are many things to consider.

First, lets compare easyXDM and JSONP outside the scope of the question.

JSONP allows a client side program (Javascript using the BOM/DOM) to interact with a server side program(.net, php etc using db's, session storage etc), and it is only the client that can initiate messaging (request/response, polling, or push, although for push you could easily set an IMG.src, do XHR or a FORM post as you do not require a response).
The client is limited in the amount of data it can send to the server, and this data must also be formatted to fit as a query string parameter, and the server must be set up to respond to said data. For each message a network trip is run with the cost this incurs.

easyXDM facilitates messaging between any two client side programs using a string based transport stack. There does not need to be any server side programs involved, and there is no network traffic. The two sides are both equal and can both initiate messaging, and can both keep state on the client (hence the term programs instead of plain Javascript). The messages are not limited in size, and as long as the data can be serialized to a string, the transport can handle it (easyXDM allows you to set a custom serializer, or to use JSON).

The main difference between these two are that one is between a client and a server where only the client can initiate messaging, and that the other is between two equal client programs, where either one can use XHR and other means to communicate with, or relay data to a server.

Regarding security; JSONP demands that the client trusts the server absolutely, after all, it allows it to run arbitrary code in its program. Other than this, there are few issues, but this is a grave one.
With easyXDM only information (the string) and no code is transmitted, and it is up to the receiver to inspect the information and act on it. So there is absolutely no risk of execution of arbitrary code. While the above is true, some of the components that easyXDM relied on to establish the channel were vulnerable to XSS (a specially crafted url would cause the client to execute arbitrary code), but these have been closed. At the present no such vulnerabilities are known, and all new code is vetted thoroughly.

I myself use easyXDM for a few demanding projects, and sites like LinkedIn, Twitter and Disqus as well as applications run by Nokia and others have built their applications on top of the messaging framework provided by easyXDM, so there are many people who have gone over the code and checked it, and who through using it vouch for its security.

In the end, it is really about the use case. For example, JSONP can not be used for resizing a window across domains, as that require client/client communication. But easyXDM can be used for both client/client, and client/server by having one of the parties use XHR.

In your case, neither of these are really required if you need merely to make a small piece of information available on the unsecure domain.

  • Navigate through the secure domain, set a cookie on the unsecure one
  • Navigate through the secure domain, have it redirect to the unsecure passing information in its request
  • Navigate through the secure domain, have it store data in window.name before redirecting to the unsecure one.

If it is vital that the information cannot be spoofed, then you for all of these need to sign the data so that its authenticity can be confirmed, but if all you need is a name then this should be unnecessary.
A simple way to check the authenticity is to

  • On the unsecure domain, generate a random secret and store it, and redirect to the unsecure domain passing the secret.
  • On the secure domain pass back the secret together with the information (using either of the means described above)
  • on the client verify that the information contains the secret.

Since only the two parties could possibly have the secret, the information is verified.

To conclude, there really is no definitive answer, it all depends the situation. So choose, but choose wisely :)

like image 122
Sean Kinsey Avatar answered Nov 17 '22 20:11

Sean Kinsey
Sign in to Comment

Related questions

api security implementation php
Creating feature in mac app to override the users security setting
How to does the token prevent csrf attack?
Hashing a session fingerprint really necessary?
Attacking Python's pickle
What are the risks of PHP sessions?
How is it possible to access memory of other processes?
Websocket Security
Storing SSL cert in source control
Where to store a JWT token?
Storing Credentials in Local Storage
How do I prevent session hijacking by simply copy a cookie from machine to another?
Purpose of JSLint "disallow insecure in regex" option
What good ways are there to prevent cheating in JavaScript multiplayer games?
Must logins be a https page
With HTTPS, are the URL and the request headers protected as the request body is?
Rails SQL injection?
What is vulnerable about this C code?
Amazon S3 files access policy based on IP Address
Can javascript simulate a button click?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!