Cart
[Home] [By Thread] [By Date] [Recent Entries]
noah_mendelsohn@u... wrote: > Maybe one of you folks with more experience in the security aspects of the > JSON/XML business could clarify something for me. I've heard it alleged > that among the other attractions of JSON is that typical browser security > policies allow one to do cross-site retrieval of JavaScript in > circumstances where XML retrieval would be disallowed. Two questions: > > 1. Is this true? > 2. If so, am I the only one who thinks this is bizarre? No, you're not. They're a number of security issues with allowing Java applets, JavaScripts, Flash, and any other browser based executable thingamajig to connect to arbitrary network hosts including: 1. DDOS attacks 2. Revealing information about hosts behind the firewall that are not otherwise visible to the program I suspect that the JSON workaround is probably just an oversight on the part of browser vendors and will be plugged. At the same time I do wish it were easier to mashup data from many different sites in one page. Security often conflicts with convenience and ease of use. :-( -- Elliotte Rusty Harold elharo@m... Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
