this is for holding javascript data
Alec Aivazis edited Because_of_this_it_s__.html
over 8 years ago
Commit id: c4f3d9755ab423e531fa23f5efd9395c5399a7e3
deletions | additions
diff --git a/Because_of_this_it_s__.html b/Because_of_this_it_s__.html
index 94e4410..3cbed8c 100644
--- a/Because_of_this_it_s__.html
+++ b/Because_of_this_it_s__.html
...
Because of this it's
A New Application Architecture Brings New Vulnerabilities
It's clear that we need to have a way of viewing the local authentication data for use by the application logic. However, special care needs to be made to prevent someone interacting with the developers console to be able to change the local authentication data in order to gain access to restricted parts of the code by elevating their permissions. This
highlights another reason not to use global variables. This is a different type of network vulnerability than the traditional three (
xss,
csrf, and
man in the middle) that arises due to the nature of SPAs. Previous paradigms did not have this problem because they could authenticate every
GET request
using traiditional methods and prevent the user from going somewhere they shouldn't. Even if one were to have a solution for this (in light of the malicious browser), we would still still authenticate backend endpoints to prevent data from leaking. The client can never
be trusted and performing crypto on the browser is a
bad idea. However, we need a quick way to authenticate frontend routing logic that is
truthworthy.
truthworthy.