Wednesday, May 13, 2015

Beware where you are POSTing!

Recently I had the pleasure to work with Highcharts, a Javascript library for creating dynamic diagrams. Recommended!

The client also wanted the ability to download the data that is used in the diagrams as a CSV file. A quick browse in the documentation learned that Highcharts supports this scenario. There are multiple ways to do this but the one I've seen the most involves POSTing your diagram data to a page that resides within the Highcharts domain.

That csv.php page only adds the headers to create a download:
This means that if you use this construction all your diagram data will be passed to a page that is within the control of Highcharts. Remember, I'm not claiming that Highcharts will do anything malicious with your data!
On the contrary, Highcharts even advises in their documentation that you should create your own page if you don't want to expose your data. Not to mention that they explicitly tell you that the page could disappear at any moment.

However, a quick search on Github learned that a number of projects are still using the Highcharts csv.php page meaning that all their data will be posted to another party (over HTTP as well).

So kids, whenever you start to POST data to a third party, ask yourself if you don't mind that the data being posted is now potentially public. And create your own page to handle that download.

In ASP.NET MVC it is as simple as creating the following controller method:

No comments:

Post a Comment