tailieunhanh - O’Reilly Securing Ajax Applications phần 4

Chúng ta quan tâm đến bảo mật trình duyệt? Tôi có nghĩa là nó của khách hàng, trình duyệt của người dùng. Trừ khi người sử dụng là bạn, bạn có thể không có nhiều kiểm soát đối với môi trường này ở nơi đầu tiên. Vì vậy, những người quan tâm, phải không? Một vài năm trước, tôi có thể đã đồng ý. | Browser Security Do we care about browser security I mean it s the client the user s browser. Unless the user is you you probably don t have a lot of control over this environment in the first place. So who cares right A couple of years ago I might have agreed. But with new web technologies and techniques such as Ajax and Flash pushing more responsibility onto the client the browser can no longer be totally ignored. The design contract between the user and a web page is changing. How do users know when the page is loaded if the browser s loading icon doesn t stop spinning Rather than a simple request-response model the page now can make micro requests moving some session state to the browser. The browser is now a first-class citizen in the application s data flow and we have to start thinking about it differently. Each page now plays a major role in the application and in some ways the page is the application. Therefore we need to care more about what technologies are running out on the browser and how best to help secure that environment. Developers are forced to think more about what is happening on the client and react accordingly. At some point it becomes important to care about the security of the browser. After all your users are using browsers and if your application is running code in the browser it should be secure. You may not be able to control everything out there but if you do even a little to help educate your users the Internet can be a safer place. Some common security questions that we should ask while developing applications that are involved with or rely on the client are ones such as Is the client authenticated Is the channel with the client secure Is the client sending us data How is that data validated Does the browser have any data persisted locally Is that data confidential Does the user have a session To answer these questions and evaluate all the different web technologies together we need a system for commonly identifying risk. STRIDE I .