W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Comments on: Access Control for Cross-site Requests

From: Douglas Crockford <douglas@crockford.com>
Date: Wed, 2 Jan 2008 09:58:41 -0800 (PST)
To: public-appformats@w3.org
Message-ID: <879231.95896.qm@web31806.mail.mud.yahoo.com>

> > Below are comments from Doug Crockford:
>
> > [...] I believe there are more elegant and reliable approaches to  
> > providing a safe alternatives to the script tag hack.

> I'd be interested in hearing about such a proposal.

One such proposal is JSONRequest (http://json.org/JSONRequest.html). An implementation for FireFox is available at http://crypto.stanford.edu/jsonrequest/.

JSONRequest does not allow the server to abdicate its responsibility of deciding if the data should be delivered to the browser. Therefore, no policy language is needed. JSONRequest requires explicit authorization. Cookies and other tokens of ambient authority are neither sent nor delivered.

JSONRequest has a significantly nicer programming model than XMLHttpRequest. 

JSONRequest only supports one encoding format: JSON. Some people see this as a disadvantage, but I think it is not. It can be used to wrap any other format.

    {"xml": "<?xml..."}
Received on Wednesday, 2 January 2008 20:20:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT