- From: Darin Fisher <darin@meer.net>
- Date: Mon, 13 Mar 2006 10:36:52 -0800
Douglas Crockford wrote: > I am proposing a new mechanism for doing data transport in Ajax/Comet > applications. It is called JSONRequest. It is a minimal communications > facility that can be exempted from the Same Origin Policy. > > You can read about it here: http://json.org/JSONRequest.html This looks like an interesting proposal. Some comments: I'm not sure how JSONRequest solves (or even avoids) the problem of XSS. For example, suppose some intranet deploys a JSON service. What is to prevent an employee's browser from being used to gain access to that JSON service? All the attacker (a.k.a. disgruntled employee) needs to do is know the URL of the JSON service and then trick employees to visit an external page under the attackers control. Moreover, if HTTP auth and cookies are not supported, then how does someone restrict access to their JSON service? For example, it is common practice to use Kerberos to implement HTTP auth on intranets. Backing up a second, I think what we need is a way to grant websites the ability to control who may access their resources. It'd be ideal if the browser had a way to ask the server for the list of hosts (or domains) that are permitted to access it. I don't think this is a new idea as several specifications have been attempted along these lines. Mozilla even implements one of them for its SOAP and WSDL implementation. -Darin
Received on Monday, 13 March 2006 10:36:52 UTC