Cart
[Home] [By Thread] [By Date] [Recent Entries]
Hi Roger, Thanks for your thoughts. JSON seems nice for cross domain data domain (particularly in AJAX applications). But I agree to other's concerns about security in JSON environment. A JSON string is a subset of JavaScript, so malicious attacks can be done by JSON scripts. I hope some security extensions to JSON will be developed over time. On 4/7/08, Costello, Roger L. <costello@m...> wrote: > Hi Mukul, > > > IMHO, what's different (great) about this scenario? > > I need to give more detail about how it works. > > A JavaScript Ajax application that is running in a browser can only > fetch data from the domain that it came from. It does this using the > XMLHttpRequest object. > > Quoting now from Bulletproof Ajax: > > "We can't use XMLHttpRequest to access the Web APIs offered by so many > sites these days. That's a real shame because most APIs return their > data in XML, which would be available in responseXML. > > The script element has no such security restrictions. It's possible to > access a JavaScript file from another domain in this way: > > <script type="text/javascript" > > src="http://www.xfront.com/us_states/json/javascript/us_states.js"></sc > ript> > > If you can request a JavaScript file from another domain, then you can > also request a JSON file. Remember, JSON is nothing more than > JavaScript." > > -- the author shows how this can be generated dynamically -- > > Thus, through this technique, the JavaScript running in your browser > can pull in data from any web service that serves up JSON (such as the > Yahoo web services). > > /Roger -- Regards, Mukul Gandhi
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
