W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Hallvord R M Steen <hallvors@gmail.com>
Date: Thu, 16 Mar 2006 08:58:08 +0100
Message-ID: <dd4c8a40603152358j7058f31bjd45570032c89a10a@mail.gmail.com>
On 3/11/06, Jim Ley <jim.ley at gmail.com> wrote:

> Accessing JSON resources on a local intranet which are
> secured by nothing more than the requesting IP address.

While this is a valid concern I think the conclusion "no *new*
security vulnerabilities" is correct. If you today embed data on an
intranet in JavaScript I can create a page that loads that script in a
SCRIPT tag and steal the data.

Of course if this is implemented in UAs, it will encourage intranets
to publish JSONRequest services, so the situation may well get worse.

> The "not ok" needs to be refined to deal with proxy caches that may
> return other codes, e.g. 304 or 206.

> The cache rules are unworkable, please remove these and use standard
> HTTP methods for suggesting the cacheability of a resource, forcing
> them to be uncacheable is unworkable w.r.t. to proxy caches and
> extremely unwelcome within the browser.

You missed the fact that every request in this proposal seems to be a
POST request. No UA or proxy should cache POST anyway.
--
Hallvord R. M. Steen
Received on Wednesday, 15 March 2006 23:58:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC