[whatwg] JSONRequest from Jim Ley on 2006-03-13 (public-whatwg-archive@w3.org from March 2006)

From: Jim Ley <jim.ley@gmail.com>
Date: Mon, 13 Mar 2006 18:42:00 +0000
Message-ID: <851c8d310603131042w6fc11a6blcd752f1167916c92@mail.gmail.com>

On 3/13/06, Darin Fisher <darin at meer.net> wrote:
> Moreover, if HTTP auth and cookies are not supported, then how does
> someone restrict access to their JSON service?  For example, it is
> common practice to use Kerberos to implement HTTP auth on intranets.

If you know you might be susceptible to the intranet attack, then all
you need to do is use SSL and have the  security within the JSON
string, of course doing this opens you up to seperate problems, and
it's far from easy.

>  I don't think this is a new idea as
> several specifications have been attempted along these lines.  Mozilla
> even implements one of them for its SOAP and WSDL implementation.

Yep, whilst I'm not overly happy with the approach, it's certainly
better than the let's hope people don't know our urls of the above
proposal.

Cheers,

Jim.

Received on Monday, 13 March 2006 10:42:00 UTC