W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Jim Ley <jim.ley@gmail.com>
Date: Fri, 17 Mar 2006 14:06:11 +0000
Message-ID: <851c8d310603170606g45dab9bep334f9add17d83be9@mail.gmail.com>
On 3/16/06, Gervase Markham <gerv at mozilla.org> wrote:
> Hallvord R M Steen wrote:
> > You are right, if no variables are created one can't see the data by
> > loading it in a  SCRIPT tag. Are you aware of intranets/CMSes that use
> > this as a security mechanism?
>
> That's not actually right. I'm pretty sure this came across a public
> security list, so...
>
> You can override the constructor on the prototype of the Object object
> and get access to JSON objects before the JavaScript engine throws them
> away when it realises they don't get assigned to a variable.
>
> Or something like that, anyway. I can't remember exactly how it worked.
> But I'm pretty sure that it's true that you can get JSON data if it's
> not protected.

I can't reproduce this, in IE and Opera, there's no effect whatsover
playing with Object constructors, in Mozilla there is however it is
not called unless you have an expression:

{chicken:true} // doesn't call it.
donkey={chicken:true} // does call it.

Please can you provide more information on how raw JSON is available
from script elements?

Cheers,

Jim.
Received on Friday, 17 March 2006 06:06:11 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC