W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Chris Holland <frenchy@gmail.com>
Date: Sat, 18 Mar 2006 17:43:18 -0800
Message-ID: <8da6ad500603181743v6fda2f62vb5ba180aa7f3d25b@mail.gmail.com>
what did you think of forcing implementers of JSON http services to be
consumed by JSONRequests, to send an extra HTTP header called
X-Allow-Foreign-Hosts, per what we discussed in past threads with
caxhr to address similar issues. As a developer, there'd be no way
you'd set this extra header without understanding the consequences of
exposing the service?

On 3/18/06, Douglas Crockford <douglas at crockford.com> wrote:
>  > The mimetype you're defining, because it is new, pretty-much ensures
>  > no existing service behind an intranet could be affected.
>
>  > I could still envision one day developers setting-up JSON syndication
>  > services behind an intranet, not quite grokking the fact that their
>  > data is now accessible from outside of their intranet. Silly, i know
>  > but ...
>
> It is a concern. The only solution to that that I can see is education. When
> choosing a technology for a service, whether SOAP or REST or JSONRequest or
> whatever, you need to understand the pros and cons. A con with JSONRequest is
> that if your are incompetent in determining your authentications, then data may
> leak. For that reason, some people might choose to not use JSONRequest, and I
> could support such a decision. But for people who want to use it (and that
> includes me), we must be prepared to design our systems correctly. I know this
> is a controversial position.
>
> http://www.JSON.org/JSONRequest.html
>


--
Chris Holland
http://chrisholland.blogspot.com/
Received on Saturday, 18 March 2006 17:43:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC