Ruby on Rails usually isn't susceptible to XSS / Cross Site Scripting Attacks because it uses an authenticity_token.
However, with our site we're trying to rid ourselves of all of this web 1.0 crap and stick with an architecture that is friendly to 3rd party web applications.
Following the mantra of "my interface sucks", we must assume that the user may have a 3rd party interface and will never access our own and we have to provide a way to prevent XSS without relying on the Same Origin Policy at all.
Flickr does this by using an API key. And what better way to test our API than to use it on our own site?
If we actually get around to that, these links looks useful:
http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/4bf83a14fc82432f
http://stackoverflow.com/questions/350299/rails-plugin-for-api-key-secret-key-signing
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment