Author: Ben Vinegar & Anton Kovalyov
Reviewer: Ian Elliot
Chapter 5 explains the mysterious topic of cross-domain iframe messaging i.e using the postMessag API. The big problem here is browser support and so a lot of the chapter is devoted to fall back techniques all of which are complciated and messy. The solution is to use a library such as easyXDM.
From here we move on to consider authentication and sessions as implemented by third party cookies - those most hated of all cookies. Again a large part of the chapter is devoted to workarounds to overcome the problem of users turning off third-party cookies.
Chapter 7 gets to grips even more with security issues. - cross-site scripting, cross-site request forgery and publisher impersonation. Vinegar and Kovalyov don't offer any universal solutions, they simply tries to make you aware of the possibilities. In most cases you need to sanitize all user input or just don't allow user input!
Overall the discussions are good with a slight hint of humour. The examples are short and to the point. The serverside examples are in Python, but easy enough to understand.
It is worth noting that most of the problems are artificially created by either poorly thought out security measures or scare stories that make users lock down their systems by removing useful facilities. Good security shouldn't stop you doing what you want to do.
There are also lots of senarios that the book doesn't even consider - but then neither does anyone else. For example, how do you arrange that your API is only accessible by a script you have authorized? You can't use a password or private token on the clientside because on the clientside there is no "private".
A good book - go and read it.