CODEWITHSUNDEEP
ajaxjsonsecurityrestjsonp
acvcu
acvcu

Reputation: 2506

Use of JSON-P with Sensitive Information

I have a secured website that requires a user to authenticate, and would like to return sensitive data to the client from my API via JSON-P so that I can get around ajax cross-domain issues. I own both the client and server, so I am not concerned about the security from the client perspective (i.e. reading malicious js from the server).

I have been researching ways to secure the JSON-P to prevent Cross-Site Request Forgery, but haven't been able to clearly determine whether checking the Referer is a foolproof method for securing the data. As I understand it, the Referer header cannot be spoofed in this situation because the calls would be from javascript, and Headers cannot be changed. Is this a correct assumption?

I would like some clear-cut examples of why or why not checking the Referer would/wouldn't work to secure JSON-P.

Thanks!

EDIT:

Just to clarify - the JSON-P is secured via Spring Security, so it wouldn't only be secured by the Referer header. I am mostly concerned here about session hijacking...

Upvotes: 1

Views: 292

Answers (2)

bobince
bobince

Reputation: 536369

I would like some clear-cut examples of why or why not checking the Referer would/wouldn't work to secure JSON-P.

Referer is not guaranteed to be sent, so:

  • if you require it to be present and match a trusted site, you will be breaking the app for everyone whose browser or network setup doesn't send it;

  • if you permit it to be absent to get around that, you open yourself to attack not just for those users, but for everyone where the attacker can induce Referer not to be sent (most notably, from HTTPS pages;

  • also, to behave properly with proxies you would have to no-cache all your responses (or Vary: Referer, but that won't work right in IE)

Referrer-checking is a weak and problematic method which sometimes sees use as a desperate last measure... it's not something you should build when you've got the choice. If you control both servers you can easily include a request token on one page that gets recognised by the script on the either.

Upvotes: 1

Subir Kumar Sao
Subir Kumar Sao

Reputation: 8401

Jsonp urls can be called using normal curl code. Http refer can easily be forged.

Upvotes: 1

Related Questions