Books for you

This can result in a massive speed-up in the user??™s browsing experience,
and it can enable much greater levels of interactivity.
One popular format for this downstream data flowing from the web server to the
user??™s browser is the JavaScript array. Since AJAX JavaScript needs to order and parse
data efficiently, it makes sense for developers to use a format that magically creates the
proper data structures when downloaded and evaluated in the browser??™s JavaScript
interpreter. Generally, this request is made using the XMLHTTPRequest (XHR) object,
and the data downloaded with that object is executed in the browser using the JavaScript
eval() command.
The XHR object poses a special problem for CSRF attacks. Unlike HTML forms,
images, or links, the XHR object is allowed to speak only to the origin domain of a
web page. This is a simple security precaution that prevents many other possible security
holes from being discovered in web applications. However, there is a method to get the
same results as a cross-domain XHR request when dealing with legal downstream
JavaScript.
Let??™s say the GoatFriends team has decided to add a browser-based instant messaging
client, and they have decided to maintain the contact list of users using AJAX code.


Pages:
159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183