W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Jim Ley <jim.ley@gmail.com>
Date: Thu, 16 Mar 2006 12:34:57 +0000
Message-ID: <851c8d310603160434p11719b3dq141f39b1a300b653@mail.gmail.com>
On 3/16/06, Hallvord R M Steen <hallvors at gmail.com> wrote:
> On 3/11/06, Jim Ley <jim.ley at gmail.com> wrote:
>
> > Accessing JSON resources on a local intranet which are
> > secured by nothing more than the requesting IP address.
>
> While this is a valid concern I think the conclusion "no *new*
> security vulnerabilities" is correct. If you today embed data on an
> intranet in JavaScript I can create a page that loads that script in a
> SCRIPT tag and steal the data.

Could you please describe how exactly?  the contents of remote script
elements are not typically available (and if they are it's a large
security hole today) unless valid javascript objects are produced to
be queried, that is not the case with bare JSON.

Jim.
Received on Thursday, 16 March 2006 04:34:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC