W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Jim Ley <jim.ley@gmail.com>
Date: Thu, 16 Mar 2006 19:04:43 +0000
Message-ID: <851c8d310603161104s62b49f59n881e7d0d3f7d2714@mail.gmail.com>
On 3/16/06, Hallvord R M Steen <hallvors at gmail.com> wrote:
> > > If you today embed data on an
> > > intranet in JavaScript I can create a page that loads that script in a
> > > SCRIPT tag and steal the data.
> >
> > Could you please describe how exactly?  the contents of remote script
> > elements are not typically available (and if they are it's a large
> > security hole today) unless valid javascript objects are produced to
> > be queried, that is not the case with bare JSON.
> You are right, if no variables are created one can't see the data by
> loading it in a  SCRIPT tag. Are you aware of intranets/CMSes that use
> this as a security mechanism?

Yes, I've shipped systems, and seen many others where the only
protection on the internal side is IP based, and use JSON data
retrieved by XHR and new Function'd into JS objects.  It's quite
common in fact.


Received on Thursday, 16 March 2006 11:04:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC