If I create an SSL API that authenticates with the session identifier stored in a cookie, adds the nonce parameter as the request parameter and always answers the "Object" JSON response (as opposed to the JSONP-style response with a callback), is is it safe in general and, in particular, against XSRF?
The purpose of such an API is only to make it accessible to pages in my own domain and to allow the publication of personal data (such as username and emails) through this API (but could not be used by other domains) - and keep reasonable simplicity for developers in a team.
Let me at least share what I understand about this approach, and why I think it is safe. Please enlighten me if you are mistaken !:
- A tag
<script>dropped on a third-party domain to our site will send my cookies, but will not be able to parse the response of the JSON object ( and the response will always intentionally become a JSON object at the top level ). In addition, I need to make sure that API calls that affect the state on the server are protected from access to a method other than GET, because the tags <script>must use GET and therefore cannot call the hawk when trying to call state change calls (in other words , The API will adhere to REST in terms of HTTP methods). In addition, I deliberately do not support JSONP, because it will be a security hole. - Man-in-the-middle, cookie (), , SSL .
- - , nonce , HTTPS, , API - .
- XMLHttpRequest , - .
- CORS (Cross ORigin Resource Sharing) , crossdomain.xml , HTML 5.
- , , - - iframe , - ( # URL- iframe, , iframe, ).
EDIT:
, nonce GET (.. <script>), russau. , nonce API POST, ; , XmlHTTPRequest nonce . , -, nonce-friendly. (.. /javascript - nonce API, , nonce , "bad nonce" - .