OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Maximally Consumable Data

Hi Roger,
   Thanks for your thoughts.

JSON seems nice for cross domain data domain (particularly in AJAX

But I agree to other's concerns about security in JSON environment. A
JSON string is a subset of JavaScript, so malicious attacks can be
done by JSON scripts.

I hope some security extensions to JSON will be developed over time.

On 4/7/08, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Mukul,
> > IMHO, what's different (great) about this scenario?
> I need to give more detail about how it works.
> A JavaScript Ajax application that is running in a browser can only
> fetch data from the domain that it came from.  It does this using the
> XMLHttpRequest object.
> Quoting now from Bulletproof Ajax:
> "We can't use XMLHttpRequest to access the Web APIs offered by so many
> sites these days.  That's a real shame because most APIs return their
> data in XML, which would be available in responseXML.
> The script element has no such security restrictions.  It's possible to
> access a JavaScript file from another domain in this way:
> <script type="text/javascript"
> src="http://www.xfront.com/us_states/json/javascript/us_states.js";></sc
> ript>
> If you can request a JavaScript file from another domain, then you can
> also request a JSON file.  Remember, JSON is nothing more than
> JavaScript."
> -- the author shows how this can be generated dynamically --
> Thus, through this technique, the JavaScript running in your browser
> can pull in data from any web service that serves up JSON (such as the
> Yahoo web services).
> /Roger

Mukul Gandhi

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS