On Apr 16, 9:11 am, "Scottus " <[EMAIL PROTECTED]> wrote: > The single take away (true point) they don't point out is that if you > use any javascript hosted on a remote server (google adwords for > example) fully compromises any page that host these scripts.
I don't think that has anything to do with the article. > So for any site that needs security Don't host third party > scripts/content problem solved. Not at all. That has nothing to do with it. I think your conclusions are based on a misunderstanding of the article. The true take away of the article is something that has been known for a long time, and rarely actually exists in reality: Don't deliver a JSON response containing private information that consists of an Array literal as the base object, in response to a GET request that uses only session authentication. In reality, I have yet to see any evidence that this problem actually exists in the wild. It's a theoretical security concern (not even a flaw) that is interesting but has very little practical application. A potential hacker would need to find a site that delivers private data in this very specific fashion, build a page to exploit that, then have you visit his page AFTER you have already logged in and established a session on the other site. In other words, that's not going to happen. IMO. Matt Kruse
