W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: XDR *API* Security Impact

From: Kris Zyp <kris@sitepen.com>
Date: Mon, 14 Apr 2008 10:59:27 -0600
Message-ID: <072501c89e50$e934c0e0$4200a8c0@kris>
To: "Thomas Roessler" <tlr@w3.org>, <public-appformats@w3.org>, "Web API WG \(public\)" <public-webapi@w3.org>
Cc: "Jon Ferraiolo" <jferrai@us.ibm.com>, "Close, Tyler J." <tyler.close@hp.com>, "Chris Wilson" <Chris.Wilson@microsoft.com>, "David Ross" <dross@windows.microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>, "Eric Lawrence" <ericlaw@exchange.microsoft.com>, "Gideon Cohn" <gidco@windows.microsoft.com>, "Ian Hickson" <ian@hixie.ch>, "Jonas Sicking" <jonas@sicking.cc>, "Laurens Holst" <lholst@students.cs.uu.nl>, "Marc Silbey" <marcsil@windows.microsoft.com>, "Maciej Stachowiak" <mjs@apple.com>, "Nikhil Kothari" <nikhilko@microsoft.com>, "Sharath Udupa" <Sharath.Udupa@microsoft.com>, "Sunava Dutta" <sunavad@windows.microsoft.com>, "Zhenbin Xu" <zhenbinx@windows.microsoft.com>

> For JSON, web application programmers are left to their own devices
> by XHR2, and will more often than not end up using eval to parse the
> JSON data that they have retrieved, effectively again passing
> execution control to b.com.

AFAIK, Crockford's json.js library is effective in validating javascript 
such that JSON data can be properly executed without allowing arbitrary code 
execution. In addition, I would be surprised if we don't see native JSON 
evaluaters in browers in the next rev of browsers. Therefore, I don't think 
is a problem. We have effective means for safely parsing JSON data, as long 
as we have a mechanism for loading the text.

That being said, I would love to see XHR2 include an additional property 
getter for "responseJSON" that provided access to safely natively parsed 
JSON. It is kind of silly that XHR provides responseXML, when most modern 
devs are using JSON.

Kris
Received on Monday, 14 April 2008 17:02:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 14 April 2008 17:02:41 GMT