[XML-DEV Mailing List Archive Home]
[By Thread]
[By Date]
Re: [xml-dev] Maximally Consumable Data
- From: "Mukul Gandhi" <gandhi.mukul@...>
- To: "Costello, Roger L." <costello@...>
- Date: Tue, 8 Apr 2008 09:40:44 +0530
Hi Roger,
Thanks for your thoughts.
JSON seems nice for cross domain data domain (particularly in AJAX
applications).
But I agree to other's concerns about security in JSON environment. A
JSON string is a subset of JavaScript, so malicious attacks can be
done by JSON scripts.
I hope some security extensions to JSON will be developed over time.
On 4/7/08, Costello, Roger L. <costello@...> wrote:
> Hi Mukul,
>
> > IMHO, what's different (great) about this scenario?
>
> I need to give more detail about how it works.
>
> A JavaScript Ajax application that is running in a browser can only
> fetch data from the domain that it came from. It does this using the
> XMLHttpRequest object.
>
> Quoting now from Bulletproof Ajax:
>
> "We can't use XMLHttpRequest to access the Web APIs offered by so many
> sites these days. That's a real shame because most APIs return their
> data in XML, which would be available in responseXML.
>
> The script element has no such security restrictions. It's possible to
> access a JavaScript file from another domain in this way:
>
> <script type="text/javascript"
>
> src="http://www.xfront.com/us_states/json/javascript/us_states.js"></sc
> ript>
>
> If you can request a JavaScript file from another domain, then you can
> also request a JSON file. Remember, JSON is nothing more than
> JavaScript."
>
> -- the author shows how this can be generated dynamically --
>
> Thus, through this technique, the JavaScript running in your browser
> can pull in data from any web service that serves up JSON (such as the
> Yahoo web services).
>
> /Roger
--
Regards,
Mukul Gandhi
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
|
