OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Maximally Consumable Data

anyway it is a security hazard because when you do that the script
executes when you get it, That you are getting JSON in this way does
not change the fact that you are allowing a JavaScript to execute
inside of your client side application spac, opening up for all sorts
of attacks. However there is some interesting work being done that
may, at some point, allow one to get around this problem - look at
CAJA. However currently I stand be earlier statement that the XML is a
better solution because of better security control of data entering
into the application.

Bryan Rasmussen

On Mon, Apr 7, 2008 at 8:18 PM, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Mukul,
>  > IMHO, what's different (great) about this scenario?
>  I need to give more detail about how it works.
>  A JavaScript Ajax application that is running in a browser can only
>  fetch data from the domain that it came from.  It does this using the
>  XMLHttpRequest object.
>  Quoting now from Bulletproof Ajax:
>  "We can't use XMLHttpRequest to access the Web APIs offered by so many
>  sites these days.  That's a real shame because most APIs return their
>  data in XML, which would be available in responseXML.
>  The script element has no such security restrictions.  It's possible to
>  access a JavaScript file from another domain in this way:
>  <script type="text/javascript"
>  src="http://www.xfront.com/us_states/json/javascript/us_states.js";></sc
>  ript>
>  If you can request a JavaScript file from another domain, then you can
>  also request a JSON file.  Remember, JSON is nothing more than
>  JavaScript."
>  -- the author shows how this can be generated dynamically --
>  Thus, through this technique, the JavaScript running in your browser
>  can pull in data from any web service that serves up JSON (such as the
>  Yahoo web services).
>  /Roger
>  _______________________________________________________________________
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS