[whatwg] JSONRequest

Darin Fisher darin at meer.net
Mon Mar 13 10:36:52 PST 2006

Douglas Crockford wrote:
> I am proposing a new mechanism for doing data transport in Ajax/Comet
> applications. It is called JSONRequest. It is a minimal communications
> facility that can be exempted from the Same Origin Policy.
> You can read about it here: http://json.org/JSONRequest.html

This looks like an interesting proposal.  Some comments:

I'm not sure how JSONRequest solves (or even avoids) the problem of 
XSS.  For example, suppose some intranet deploys a JSON service.  What 
is to prevent an employee's browser from being used to gain access to 
that JSON service?  All the attacker (a.k.a. disgruntled employee) needs 
to do is know the URL of the JSON service and then trick employees to 
visit an external page under the attackers control.

Moreover, if HTTP auth and cookies are not supported, then how does 
someone restrict access to their JSON service?  For example, it is 
common practice to use Kerberos to implement HTTP auth on intranets.

Backing up a second, I think what we need is a way to grant websites the 
ability to control who may access their resources.  It'd be ideal if the 
browser had a way to ask the server for the list of hosts (or domains) 
that are permitted to access it.  I don't think this is a new idea as 
several specifications have been attempted along these lines.  Mozilla 
even implements one of them for its SOAP and WSDL implementation.


More information about the whatwg mailing list