Avoiding top-level JSON arrays is pretty hackish way of protecting against exploits, there are much better forms of security. It doesn't seem like this practice should influence range units. Once again, I would think that those that really want a top-level object, for security or for metadata reasons could create a sub-format/content type that defined the top level object, the collection property, and the proper behavior for items range units with that format. Kris > Kris Zyp wrote: >> > If it's only used with the "application/json" media-type, and it can >> > define that "items" always refers to _array_ items (i.e. numbered) >> > and the JSON _top-level_ object is an array, then I have no such >> > concern. >> >> I agree, it should only be applicable when the top-level entity is an >> array. > > Except...there are a number of people who close a set of XSS attacks by > mandating their JSON implementations never return a top-level array, > only an object. > > Cf > http://www.kid666.com/blog/2006/12/23/security-ajax-json-satisfaction/ > > > Robert Brewer > fumanchu@aminus.org > > >Received on Wednesday, 3 September 2008 21:09:12 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:22:29 GMT