XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Maximally Consumable Data

Well there are a number of attempts to deal with inherent security
problems of sharing scripts from third parties, probably the most
promising is Caja http://code.google.com/p/google-caja/

Cheers,
Bryan Rasmussen

On Tue, Apr 8, 2008 at 6:10 AM, Mukul Gandhi <gandhi.mukul@gmail.com> wrote:
> Hi Roger,
>    Thanks for your thoughts.
>
>  JSON seems nice for cross domain data domain (particularly in AJAX
>  applications).
>
>  But I agree to other's concerns about security in JSON environment. A
>  JSON string is a subset of JavaScript, so malicious attacks can be
>  done by JSON scripts.
>
>  I hope some security extensions to JSON will be developed over time.
>
>
>  On 4/7/08, Costello, Roger L. <costello@mitre.org> wrote:
>  > Hi Mukul,
>  >
>  > > IMHO, what's different (great) about this scenario?
>  >
>  > I need to give more detail about how it works.
>  >
>  > A JavaScript Ajax application that is running in a browser can only
>  > fetch data from the domain that it came from.  It does this using the
>  > XMLHttpRequest object.
>  >
>  > Quoting now from Bulletproof Ajax:
>  >
>  > "We can't use XMLHttpRequest to access the Web APIs offered by so many
>  > sites these days.  That's a real shame because most APIs return their
>  > data in XML, which would be available in responseXML.
>  >
>  > The script element has no such security restrictions.  It's possible to
>  > access a JavaScript file from another domain in this way:
>  >
>  > <script type="text/javascript"
>  >
>  > src="http://www.xfront.com/us_states/json/javascript/us_states.js";></sc
>  > ript>
>  >
>  > If you can request a JavaScript file from another domain, then you can
>  > also request a JSON file.  Remember, JSON is nothing more than
>  > JavaScript."
>  >
>  > -- the author shows how this can be generated dynamically --
>  >
>  > Thus, through this technique, the JavaScript running in your browser
>  > can pull in data from any web service that serves up JSON (such as the
>  > Yahoo web services).
>  >
>  > /Roger
>
>
>  --
>  Regards,
>  Mukul Gandhi
>
>
>
>  _______________________________________________________________________
>
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS