W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Jim Ley <jim.ley@gmail.com>
Date: Mon, 20 Mar 2006 13:46:06 +0000
Message-ID: <851c8d310603200546j27a2c130yd4ccc28f0257d9c8@mail.gmail.com>
On 3/20/06, Douglas Crockford <douglas at crockford.com> wrote:
>  > Or indeed wrote your script before this JSONRequest was invented.
>
> I think I see where you are confused. A pre-JSONRequest JSON application
> will be using GET, or POST with a conventional POST body.

What exactly is a "conventional POST body"

> JSONRequest cannot generate a GET, so those interfaces are
> safe,

Many webservers will return data in response to a POST even if
expecting a GET, a bug perhaps, but there's no specification which
prevents it.

> and it cannot generate a conventional POST
> body, so those applications are safe, too.

I have lots of applications that POST json to the server, and return
more JSON, for exactly the reason your proposing this interface now.

> If an application is so badly implemented that it accepts dangerous POSTs (we
> already determined that JSONRequest is safer than form.submit in this regard)

Where did we determine this?   Please start sharing your security
analysis, it seems rather lacking to me, so I'm not really prepared to
trust blanked statements of what you've determined.

> So, is this a problem? No. First, JSONRequest will reject the response and not
> return to the script because the Content-Type is not application/json.
> application/json is only now being registered as MIME media type. Legacy
> applications should not have been using it.

_SHOULD_  see, you're relying on perfect systems everywhere, that is
not an appropriate reliance, and as there are other methods - opt-in
methods - that allow cross domain scripting to be done more securely,
I simply don't see the point of not using them, and go for these poor
security methods you're advocating.

Also, someone using a application/vnd.someone.json will likely change
their server configuration to application/json as soon as it's
registered, so legacy apps will be using the appropriate mime-type.

> So, to repeat, JSON introduces no new security vulnerabilities for the legacy
> JavaScript data formats of six years ago.

You just admitted, that it did, so please stop repeating that phrase,
you may want to use a phrase such as "few" or "rare" or "only in
certain situations" are new security vulnerabilities present, but
there are certainly not none, and your refusal to admit this in the
document, when you do here suggests that you do not want your
specification to be reviewed fairly by all concerned.

> I would very much like to see the details of a specific attack in which a legacy
> application which depends solely on firewall locality for its security is
> compromised by JSONRequest.

I have some where all that would be needed is a
application/x--jl-message-result becomes a application/json -
something that is likely to happen (without me knowing) once the the
mime-type is registered.  Of course it's behind a firewall, so I can't
direct you to it, but it meets all of the other restrictions on JSON
you've listed above.  The data protected is pretty innocuous, but I'd
be crazy to think I was the only person doing it, why do you think I
am?

Cheers,

Jim.
Received on Monday, 20 March 2006 05:46:06 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC