php - How to secure json -

php - How to secure json -

so have main page gets info json link , populates dropdown based on data. question is, can access url json getting printed , want secure server , pages running on server can access json output.

i thinking of comparing php server vars such remote_addr , server_addr remote_addr clients ip , not server.

what way go doing this?

thanks

the security issue refer known json hijacking, , whilst browsers include features mitigate risk, still issue in other browsers.

fortunately there simple solution. understand it, need understand how attack works in first place. isn't possible third-party site request json file via xmlhttprequest , parse in normal way, prevented same-origin policy. attacker redefine object setter functions in javascript homecoming values of new objects own code, , create new <script> tag referencing json file. when json loaded browser execute it, create new object, , homecoming values attacker's object setter handler. attacker has data.

to prevent this, need create impossible parse json code straight javascript. want create throw error if done. 1 mutual way accomplish (used sites such google , facebook) add together code origin of json file create infinite loop, preventing parser reaching rest of code (and throwing javascript error).

for example, facebook's json responses start string for(;;);, while google utilize various bits of code such while(1);, , throw(1); <don't evil> (the latter throws error directly, rather creating infinite loop).

you need modify own json handling javascript strip cruft out before parsing it. example, might do:

function parsejson(json) { json = json.replace("for(;;);", ""); /* parse json usual */ }

this adds little bit of cruft script , json, effective @ preventing json hijacking.

php json