W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Hallvord R M Steen <hallvors@gmail.com>
Date: Thu, 16 Mar 2006 17:01:54 +0100
Message-ID: <dd4c8a40603160801s3f0aa1f8sb27dbcd571d1cc3a@mail.gmail.com>
> > If you today embed data on an
> > intranet in JavaScript I can create a page that loads that script in a
> > SCRIPT tag and steal the data.
>
> Could you please describe how exactly?  the contents of remote script
> elements are not typically available (and if they are it's a large
> security hole today) unless valid javascript objects are produced to
> be queried, that is not the case with bare JSON.

You are right, if no variables are created one can't see the data by
loading it in a  SCRIPT tag. Are you aware of intranets/CMSes that use
this as a security mechanism?

--
Hallvord R. M. Steen
Received on Thursday, 16 March 2006 08:01:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC