W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: issue 85 - range unit extensions

From: Kris Zyp <kris@sitepen.com>
Date: Wed, 3 Sep 2008 15:07:50 -0600
Message-ID: <0fec01c90e09$20df7620$4200a8c0@kris>
To: "Robert Brewer" <fumanchu@aminus.org>, "Jamie Lokier" <jamie@shareable.org>
Cc: "Yves Lafon" <ylafon@w3.org>, "Julian Reschke" <julian.reschke@gmx.de>, <ietf-http-wg@w3.org>

Avoiding top-level JSON arrays is pretty hackish way of protecting against 
exploits, there are much better forms of security. It doesn't seem like this 
practice should influence range units. Once again, I would think that those 
that really want a top-level object, for security or for metadata reasons 
could create a sub-format/content type that defined the top level object, 
the collection property, and the proper behavior for items range units with 
that format.

> Kris Zyp wrote:
>> > If it's only used with the "application/json" media-type, and it can
>> > define that "items" always refers to _array_ items (i.e. numbered)
>> > and the JSON _top-level_ object is an array, then I have no such
>> > concern.
>> I agree, it should only be applicable when the top-level entity is an
>> array.
> Except...there are a number of people who close a set of XSS attacks by
> mandating their JSON implementations never return a top-level array,
> only an object.
> Cf
> http://www.kid666.com/blog/2006/12/23/security-ajax-json-satisfaction/
> Robert Brewer
> fumanchu@aminus.org
Received on Wednesday, 3 September 2008 21:09:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:37 UTC