JSFoo 2012 Chennai

Chennai JavaScripters ahoy!

Krishna Chaitanya T


JavaScript is mischievous. Handle 3rd party content with care!

Submitted Feb 8, 2012

The objective of this talk is to explain how insecure client side communications can be and the care one should take to securely integrate third party content.


Mashups, a breed of modern web applications, often integrate content from different origins on the client side and provide rich interactivity. The aggregated content can be in the form of widgets, social plugins, advertisements etc. A mashup built just by embedding third party JavaScript files is inherently insecure as its security boils down to ‘trust’ on the script provider.

Building secure web mashups involves several challenges like keeping same origin policy, navigation policies of browsers in mind, assuring confidentiality, authentication, reliability, script isolation etc. Also, when sufficient care is not taken, attackers can eavesdrop inter-party communication via framing attacks, deceive via UI-redress attacks etc. This talk tries to cover these challenges and explain secure coding practices for building web mashups.


Decent knowledge of JavaScript.
Experience of building mashups will help understand the talk better.

Speaker bio

I’m a web guy working at a reputed security research lab at Hyderabad. I blog on my little tech experiments, present regularly at Microsoft’s online & offline technical community events on web development.
I’m a Microsoft MVP for ASP.NET (2010) and Internet Explorer (2011). More info on my blog.




{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

JSFoo is a forum for discussing UI engineering; fullstack development; web applications engineering, performance, security and design; accessibility; and latest developments in #JavaScript. Follow JSFoo on Twitter more