Re: [xml-dev] Maximally Consumable Data

["Mukul Gandhi" <gandhi.mukul@gmail.com>]

Hi Roger,
   Thanks for your thoughts.

JSON seems nice for cross domain data domain (particularly in AJAX
applications).

But I agree to other's concerns about security in JSON environment. A
JSON string is a subset of JavaScript, so malicious attacks can be
done by JSON scripts.

I hope some security extensions to JSON will be developed over time.

On 4/7/08, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Mukul,
>
> > IMHO, what's different (great) about this scenario?
>
> I need to give more detail about how it works.
>
> A JavaScript Ajax application that is running in a browser can only
> fetch data from the domain that it came from.  It does this using the
> XMLHttpRequest object.
>
> Quoting now from Bulletproof Ajax:
>
> "We can't use XMLHttpRequest to access the Web APIs offered by so many
> sites these days.  That's a real shame because most APIs return their
> data in XML, which would be available in responseXML.
>
> The script element has no such security restrictions.  It's possible to
> access a JavaScript file from another domain in this way:
>
> <script type="text/javascript"
>
> src="http://www.xfront.com/us_states/json/javascript/us_states.js";></sc
> ript>
>
> If you can request a JavaScript file from another domain, then you can
> also request a JSON file.  Remember, JSON is nothing more than
> JavaScript."
>
> -- the author shows how this can be generated dynamically --
>
> Thus, through this technique, the JavaScript running in your browser
> can pull in data from any web service that serves up JSON (such as the
> Yahoo web services).
>
> /Roger


-- 
Regards,
Mukul Gandhi