Interesting JavaScript/Ajax security technique - should we adopt it

Interesting JavaScript/Ajax security technique - should we adopt it

by Tim Hunt -
Number of replies: 4
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I just saw this: http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses

Should we be doing that in Moodle?

Average of ratings: Useful (1)
In reply to Tim Hunt

Re: Interesting JavaScript/Ajax security technique - should we adopt it

by David Bezemer -

I would assume that creating CSRF tokens instead is a better way of doing it for Moodle.
Google essentially does this because it would require a humongous load to create CSRF tokens for all their JSOP requests.

Also, there are still ways around the while(1); where as CSRF tokens are watertight. (the while(1); only stops inclusion in <script> tags)

Average of ratings: Useful (2)
In reply to David Bezemer

Re: Interesting JavaScript/Ajax security technique - should we adopt it

by Dan Poltawski -

Dumb grep:

$ git grep -l 'AJAX_SCRIPT' | xargs grep -L sesskey
availability/condition/date/ajax.php
badges/ajax.php
badges/assertion.php
course/category.ajax.php
course/dndupload.php
course/format/formatlegacy.php
course/format/topics/lib.php
course/format/weeks/lib.php
enrol/locallib.php
help_ajax.php
install.php
lib/ajax/getnavbranch.php
lib/ajax/getsiteadminbranch.php
lib/outputfactories.php
lib/setuplib.php
login/token.php
mod/assign/feedback/editpdf/ajax_progress.php
mod/glossary/showentry_ajax.php
report/loglive/loglive_ajax.php
tag/tag_autocomplete.php
webservice/pluginfile.php
webservice/upload.php
Average of ratings: -
In reply to Dan Poltawski

Re: Interesting JavaScript/Ajax security technique - should we adopt it

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

OK, so currently we have a problem. The question is, how shall we solve it? The while (1) thing, or requiring sesskey in all AJAX scripts?

David's assumption seems logical to me.

I guess we could make codechecker scream if you define AJAX_SCRIPT, but don't check sesskey? Or we could, probably make it a developer debug warning somehow, but will anyone see developer debug messages during an ajax request? (It only works if you send the messages to the logs, not the screen.)

Average of ratings: -