JavaScript considered harmful (was Re: New online index to Be azley's tutorials)

John W. Baxter jwbaxter at spamcop.net
Wed Jan 9 06:00:28 CET 2002


In article <mailman.1010531652.8777.python-list at python.org>, Delaney,
Timothy <tdelaney at avaya.com> wrote:

> My solution? Send all the data as a single Javascript string (fields
> tab-delimited, records cr-delimited). Then a client-side JS function parsed
> the string and produced the required HTML.
> 
> This had multiple advantages - #1 being that I didn't have to send all the
> HTML, #2 being that each piece of info only needed to be sent once, and
> could then be used as many times as required (for example, both appearing in
> a generated URL, and appearing in the textual representation of the URL).
> 
> There are of course, some disadvantages - the need for Javascript being #1
> and memory use being the #2. It was very important to only deal with one
> record at a time. However, the solution used ended up with very little extra
> memory overhead (a poor solution could have really blown out memory usage
> however).
> 
> In any case, the final page ended up at approx 100K - 1/20 the original
> size. I was tempted to huffman compression on the JS string, but in the end
> decided that I had met my requirements and anything further would be
> over-engineering (and just for the fun of it, no less).

Bell Atlantic demonstrated how this approach can go horribly wrong. 
They included password verification in the JavaScript, and the JS
included the data which the password was intended to protect.

Result...

Go to the site, put in your phone number (or any other phone number in
the system), get the page, view source, and learn all sorts of good
things (name and address for unlisted numbers, the Bell Atlantic
"problem user" flag (ie, complainer), payment records, etc.

Post merger, Verizon got to deal with the problem (and the resulting
news coverage, which did better than their ads at getting the
post-merger name into people's minds, so the problem wasn't a total
loss).  Attempt 1 at a fix merely took away the link from higher in the
site...anyone who already knew the starting URL could still look up
info on any of the numbers.

But...
Naturally, you aren't doing that...you're doing your authentication
first.  Naturally.  (It sounds as if your application is appropriate.)

  --John



More information about the Python-list mailing list