- From: Kris Zyp <kris@sitepen.com>
- Date: Wed, 3 Sep 2008 15:07:50 -0600
- To: "Robert Brewer" <fumanchu@aminus.org>, "Jamie Lokier" <jamie@shareable.org>
- Cc: "Yves Lafon" <ylafon@w3.org>, "Julian Reschke" <julian.reschke@gmx.de>, <ietf-http-wg@w3.org>
Avoiding top-level JSON arrays is pretty hackish way of protecting against exploits, there are much better forms of security. It doesn't seem like this practice should influence range units. Once again, I would think that those that really want a top-level object, for security or for metadata reasons could create a sub-format/content type that defined the top level object, the collection property, and the proper behavior for items range units with that format. Kris > Kris Zyp wrote: >> > If it's only used with the "application/json" media-type, and it can >> > define that "items" always refers to _array_ items (i.e. numbered) >> > and the JSON _top-level_ object is an array, then I have no such >> > concern. >> >> I agree, it should only be applicable when the top-level entity is an >> array. > > Except...there are a number of people who close a set of XSS attacks by > mandating their JSON implementations never return a top-level array, > only an object. > > Cf > http://www.kid666.com/blog/2006/12/23/security-ajax-json-satisfaction/ > > > Robert Brewer > fumanchu@aminus.org > > >
Received on Wednesday, 3 September 2008 21:09:12 UTC