[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] json v. xml
- From: Elliotte Harold <elharo@metalab.unc.edu>
- To: noah_mendelsohn@us.ibm.com
- Date: Fri, 05 Jan 2007 14:50:40 -0500
noah_mendelsohn@us.ibm.com wrote:
> Maybe one of you folks with more experience in the security aspects of the
> JSON/XML business could clarify something for me. I've heard it alleged
> that among the other attractions of JSON is that typical browser security
> policies allow one to do cross-site retrieval of JavaScript in
> circumstances where XML retrieval would be disallowed. Two questions:
>
> 1. Is this true?
> 2. If so, am I the only one who thinks this is bizarre?
No, you're not. They're a number of security issues with allowing Java
applets, JavaScripts, Flash, and any other browser based executable
thingamajig to connect to arbitrary network hosts including:
1. DDOS attacks
2. Revealing information about hosts behind the firewall that are not
otherwise visible to the program
I suspect that the JSON workaround is probably just an oversight on the
part of browser vendors and will be plugged. At the same time I do wish
it were easier to mashup data from many different sites in one page.
Security often conflicts with convenience and ease of use. :-(
--
Elliotte Rusty Harold elharo@metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
