- From: Robert Brewer <fumanchu@aminus.org>
- Date: Wed, 3 Sep 2008 13:47:31 -0700
- To: "Kris Zyp" <kris@sitepen.com>, "Jamie Lokier" <jamie@shareable.org>
- Cc: "Yves Lafon" <ylafon@w3.org>, "Julian Reschke" <julian.reschke@gmx.de>, <ietf-http-wg@w3.org>
Kris Zyp wrote: > > If it's only used with the "application/json" media-type, and it can > > define that "items" always refers to _array_ items (i.e. numbered) > > and the JSON _top-level_ object is an array, then I have no such > > concern. > > I agree, it should only be applicable when the top-level entity is an > array. Except...there are a number of people who close a set of XSS attacks by mandating their JSON implementations never return a top-level array, only an object. Cf http://www.kid666.com/blog/2006/12/23/security-ajax-json-satisfaction/ Robert Brewer fumanchu@aminus.org
Received on Wednesday, 3 September 2008 20:46:33 UTC