330 Part II: Developing an Ajax Library^
calculated for the data. If the values don’t match, the user is alerted to the possibility of data
tampering.if (response.signedResponse)
{
var signature = response.xhr.getResponseHeader("Content-MD5");
var verifySignature = AjaxTCR.data.encodeMD5(response.xhr.responseText);
if (signature != verifySignature)
response.fail = "Response Packet Compromised.";
}You can see this example in Figure 7-16 and find the code at http://ajaxref.com/ch7/
responsesignature.html.
It should be clear here that the response signature is less secure than the request signature
because if the intruder could modify the payload, they may likely also be able to modify the
checksum header, and in this example, a standard MD5 hash without modification is used.
You might be tempted to add a secret into the hash, but then you would have to transmit thatFIGURE 7-15 Request signatures in action