This video covers a strategy for preventing data theft. Instead of walking through doing this, this video focuses on explaining the problem and solution, and then pointing out that frameworks probably do this for you. The strategy covered in this video works through surreptitious use of JSONP; the instructor explores why this works, how to configure it, and how to set up your code to strip the prefix when using the code legitimately.
Browsers enforce what's known as the same-origin policy. This policy allows a script to access data from another script only if both scripts share the same origin. The origin includes scheme, like http, or https, host name, and port number, so this effectively limits a script from accessing data that comes from another server. Now, in some cases you want to permit data sharing, and there are a number of schemes in use that let us do this.
At the same time, we have to recognize and unintentional back doors, and be sure to lock them up. The same-origin policy applies to code in a script. However, an HTML document can load scripts from any origin. Some attackers have taken advantage of this by running malicious code that adds a new script element to an HTML document. This is known as a cross-site script injection attack, some times abbreviates XSSI. By hijacking what the browser does after parsing data, malicious code can intercept data and send it to the attacker.
So, we just need to add a method to the myApp object that removes this statement from the start of the data, and then parses the remaining data. So, we'll create a method called script data, (computer keys tapping) and in that method we'll create a clean data variable that uses the slice array method to return the value of this dot data stream with the first nine characters removed, and then we'll add a console dot log statement so we can confirm that our code worked.
Outside of the method, we'll add a statement to actually call it. Then, we'll save our work. Then we'll open the file in Chrome, and open the console in the developer tools, and we can see here that the result of our strip data method is a JSON array that we can then work with in our code. Again, because we're operating from the same origin as the data source, we're able to run code to modify it, and we can get the data out without being hampered by the error generating statement, which should prevent any malicious uses.
- Setting up the environment
- Understanding JSON data
- Preventing data theft
- Returning readable JSON
- Testing for an empty object
- Creating a basic schema with JSON schema
- Validating JSON data against a schema
- Converting between JSON and XML
- Converting between JSON and YAML