Re: [xml-dev] Maximally Consumable Data

["Manfred Staudinger" <manfred.staudinger@gmail.com>]

If I want to consume a web service which offers XML, then I'm forced to go
to my server, request the XML to be sent to it, and then deliver it client side
(or is there a better way?).
If I do it this way, where is the gain in security?

Manfred

On 07/04/2008, bryan rasmussen <rasmussen.bryan@gmail.com> wrote:
> anyway it is a security hazard because when you do that the script
>  executes when you get it, That you are getting JSON in this way does
>  not change the fact that you are allowing a JavaScript to execute
>  inside of your client side application spac, opening up for all sorts
>  of attacks. However there is some interesting work being done that
>  may, at some point, allow one to get around this problem - look at
>  CAJA. However currently I stand be earlier statement that the XML is a
>  better solution because of better security control of data entering
>  into the application.
>
>  Cheers,
>
> Bryan Rasmussen
>
>
>  On Mon, Apr 7, 2008 at 8:18 PM, Costello, Roger L. <costello@mitre.org> wrote:
>  > Hi Mukul,
>  >
>  >
>  >  > IMHO, what's different (great) about this scenario?
>  >
>  >  I need to give more detail about how it works.
>  >
>  >  A JavaScript Ajax application that is running in a browser can only
>  >  fetch data from the domain that it came from.  It does this using the
>  >  XMLHttpRequest object.
>  >
>  >  Quoting now from Bulletproof Ajax:
>  >
>  >  "We can't use XMLHttpRequest to access the Web APIs offered by so many
>  >  sites these days.  That's a real shame because most APIs return their
>  >  data in XML, which would be available in responseXML.
>  >
>  >  The script element has no such security restrictions.  It's possible to
>  >  access a JavaScript file from another domain in this way:
>  >
>  >  <script type="text/javascript"
>  >
>  >  src="http://www.xfront.com/us_states/json/javascript/us_states.js";></sc
>  >  ript>
>  >
>  >  If you can request a JavaScript file from another domain, then you can
>  >  also request a JSON file.  Remember, JSON is nothing more than
>  >  JavaScript."
>  >
>  >  -- the author shows how this can be generated dynamically --
>  >
>  >  Thus, through this technique, the JavaScript running in your browser
>  >  can pull in data from any web service that serves up JSON (such as the
>  >  Yahoo web services).
>  >
>  >  /Roger
>  >
>  >
>  >
>  >  _______________________________________________________________________
>  >
>  >  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  >  to support XML implementation and development. To minimize
>  >  spam in the archives, you must subscribe before posting.
>  >
>  >  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  >  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  >  subscribe: xml-dev-subscribe@lists.xml.org
>  >  List archive: http://lists.xml.org/archives/xml-dev/
>  >  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>  >
>  >
>
>  _______________________________________________________________________
>
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>