OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] json v. xml

noah_mendelsohn@us.ibm.com wrote:
> Maybe one of you folks with more experience in the security aspects of the 
> JSON/XML business could clarify something for me.  I've heard it alleged 
> that among the other attractions of JSON is that typical browser security 
> policies allow one to do cross-site retrieval of JavaScript in 
> circumstances where XML retrieval would be disallowed.  Two questions:
> 1. Is this true?
> 2. If so, am I the only one who thinks this is bizarre? 

No, you're not. They're a number of security issues with allowing Java 
applets, JavaScripts, Flash, and any other browser based executable 
thingamajig to connect to arbitrary network hosts including:

1. DDOS attacks
2. Revealing information about hosts behind the firewall that are not 
otherwise visible to the program

I suspect that the JSON workaround is probably just an oversight on the 
part of browser vendors and will be plugged. At the same time I do wish 
it were easier to mashup data from many different sites in one page. 
Security often conflicts with convenience and ease of use. :-(

´╗┐Elliotte Rusty Harold  elharo@metalab.unc.edu
Java I/O 2nd Edition Just Published!

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS