[whatwg] JSONRequest

[Jim Ley]

On 3/11/06, Douglas Crockford <douglas at crockford.com> wrote:
> I am proposing a new mechanism for doing data transport in Ajax/Comet
> applications. It is called JSONRequest. It is a minimal communications
> facility that can be exempted from the Same Origin Policy.
>
> You can read about it here: http://json.org/JSONRequest.html

Unfortunately your security analysis is lacking some situations,
Indeed the statement

" It provides this highly valuable service while introducing no new
security vulnerabilities. "

is false, please remove it to avoid any confusion.

Accessing JSON resources on a local intranet which are secured by
nothing more than the requesting IP address.  Indeed you actually skip
over this pretending that there would only be legacy
data/documents/scripts available in such a situation, despite the
number of people who've been shipping such products for 6 years or
more.

In other non security areas, you don't define how the delay product is
reset - is it per window, per host, per instance?  That needs
defining.

The "not ok" needs to be refined to deal with proxy caches that may
return other codes, e.g. 304 or 206.

The Duplex claim is misleading, and you should specifically mention
that if you do use 2 connections, no other content would be
downloadable from the site in a conforming HTTP 1.1 implementation.

The cache rules are unworkable, please remove these and use standard
HTTP methods for suggesting the cacheability of a resource, forcing
them to be uncacheable is unworkable w.r.t. to proxy caches and
extremely unwelcome within the browser.

Most importantly is to actually make it safe to use.

cheers,

Jim.