W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: ISSUE-18: Is JSONRequest an acceptable alternative to the current model? [Access Control]

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Fri, 4 Jan 2008 16:05:08 -0800
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>, "Close, Tyler J." <tyler.close@hp.com>
Message-ID: <OFC2B9D44E.270B3245-ON882573C6.00818F61-882573C7.000078A9@us.ibm.com>


>
> You failed to reply to the XSLT and XBL remarks that the JSON thingie
does
> not address. These are important use cases.

IMO the JSON use case is a couple of orders of magnitude more important
than the XSLT or XBL requirements. JSON is a primary format for cross-site
data exchange today, and is likely to grow in usage in the coming years as
more people discover its virtues.

Overall, I would prefer it if browsers would adopt JSONRequest rather than
Access Control. JSONRequest was designed carefully from a security
perspective, such as the random delay feature. It achieves its results
*without* sending cookies (the cookie feature in Access Control scares lots
of us because of CSRF issues). I recognize that the WAF committee has spent
lots of time and effort on the existing Access Control, but I think the
community would be better served by having browsers implement JSONRequest
instead. (JSONRequest would be even better if it allowed XML data in
addition to JSON data.)

For XSLT and XBL, shouldn't browsers allow cross-site (GET) access in the
same way it does for CSS stylesheets and SCRIPT tags?

Jon
Received on Saturday, 5 January 2008 00:07:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC