- From: Hallvord R M Steen <hallvors@gmail.com>
- Date: Thu, 16 Mar 2006 17:01:54 +0100
> > If you today embed data on an > > intranet in JavaScript I can create a page that loads that script in a > > SCRIPT tag and steal the data. > > Could you please describe how exactly? the contents of remote script > elements are not typically available (and if they are it's a large > security hole today) unless valid javascript objects are produced to > be queried, that is not the case with bare JSON. You are right, if no variables are created one can't see the data by loading it in a SCRIPT tag. Are you aware of intranets/CMSes that use this as a security mechanism? -- Hallvord R. M. Steen
Received on Thursday, 16 March 2006 08:01:54 UTC