On Thursday 19 April 2007 13:05, Chris Travers wrote:
> > Obviously LSMB would not be susceptible to buffer overflows, but every
> > day I see more and more seriously negative stuff about javascript.
> > My understanding is that LSMB development is going to add a lot of
> > javascript based web 2.0/ajax type stuff, which IS wonderful to use.
> > Are there plans for the new interfaces to "degrade gracefully" without
> > loss of function (some loss of convenience couldn't be avoided), if a
> > person found that javascript HAD to be turned off and kept off because
> > of non-LSMB security issues?
Several of the core developers (with good reason) have access to, and insist
on a gracefully degraded interface for lower-end hardware, such as hand held
scanners, and low-memory/low-resolution workstations. This is something we
will maintain throughout the development process.
I am not a security researchers, but I suspect a good many of those attacks on
AJAX interfaces are because the interface on the server side of things are
far too trusting.
I think the REST API we're planning will go a long way to mitigate these types
of attacks, because input is validated, translated, and even then only
permitted to mutate server data in specific ways. (But also note, we don't
claim invincibility... yet :)) I also think the REST interface will also
help enforce a degradeable interface since it will only allow access to
arbitrary objects, and discourage arbitrary actions. (Besides GET, PUT, POST,
DELETE)
Jason
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel