Cart
[Home] [By Thread] [By Date] [Recent Entries]
Well there are a number of attempts to deal with inherent security problems of sharing scripts from third parties, probably the most promising is Caja http://code.google.com/p/google-caja/ Cheers, Bryan Rasmussen On Tue, Apr 8, 2008 at 6:10 AM, Mukul Gandhi <gandhi.mukul@g...> wrote: > Hi Roger, > Thanks for your thoughts. > > JSON seems nice for cross domain data domain (particularly in AJAX > applications). > > But I agree to other's concerns about security in JSON environment. A > JSON string is a subset of JavaScript, so malicious attacks can be > done by JSON scripts. > > I hope some security extensions to JSON will be developed over time. > > > On 4/7/08, Costello, Roger L. <costello@m...> wrote: > > Hi Mukul, > > > > > IMHO, what's different (great) about this scenario? > > > > I need to give more detail about how it works. > > > > A JavaScript Ajax application that is running in a browser can only > > fetch data from the domain that it came from. It does this using the > > XMLHttpRequest object. > > > > Quoting now from Bulletproof Ajax: > > > > "We can't use XMLHttpRequest to access the Web APIs offered by so many > > sites these days. That's a real shame because most APIs return their > > data in XML, which would be available in responseXML. > > > > The script element has no such security restrictions. It's possible to > > access a JavaScript file from another domain in this way: > > > > <script type="text/javascript" > > > > src="http://www.xfront.com/us_states/json/javascript/us_states.js"></sc > > ript> > > > > If you can request a JavaScript file from another domain, then you can > > also request a JSON file. Remember, JSON is nothing more than > > JavaScript." > > > > -- the author shows how this can be generated dynamically -- > > > > Thus, through this technique, the JavaScript running in your browser > > can pull in data from any web service that serves up JSON (such as the > > Yahoo web services). > > > > /Roger > > > -- > Regards, > Mukul Gandhi > > > > _______________________________________________________________________ > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > to support XML implementation and development. To minimize > spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@l... > subscribe: xml-dev-subscribe@l... > List archive: http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
