- From: Hallvord R M Steen <hallvors@gmail.com>
- Date: Thu, 16 Mar 2006 08:58:08 +0100
On 3/11/06, Jim Ley <jim.ley at gmail.com> wrote: > Accessing JSON resources on a local intranet which are > secured by nothing more than the requesting IP address. While this is a valid concern I think the conclusion "no *new* security vulnerabilities" is correct. If you today embed data on an intranet in JavaScript I can create a page that loads that script in a SCRIPT tag and steal the data. Of course if this is implemented in UAs, it will encourage intranets to publish JSONRequest services, so the situation may well get worse. > The "not ok" needs to be refined to deal with proxy caches that may > return other codes, e.g. 304 or 206. > The cache rules are unworkable, please remove these and use standard > HTTP methods for suggesting the cacheability of a resource, forcing > them to be uncacheable is unworkable w.r.t. to proxy caches and > extremely unwelcome within the browser. You missed the fact that every request in this proposal seems to be a POST request. No UA or proxy should cache POST anyway. -- Hallvord R. M. Steen
Received on Wednesday, 15 March 2006 23:58:08 UTC