darin at meer.net
Mon Mar 13 10:36:52 PST 2006
Douglas Crockford wrote:
> I am proposing a new mechanism for doing data transport in Ajax/Comet
> applications. It is called JSONRequest. It is a minimal communications
> facility that can be exempted from the Same Origin Policy.
> You can read about it here: http://json.org/JSONRequest.html
This looks like an interesting proposal. Some comments:
I'm not sure how JSONRequest solves (or even avoids) the problem of
XSS. For example, suppose some intranet deploys a JSON service. What
is to prevent an employee's browser from being used to gain access to
that JSON service? All the attacker (a.k.a. disgruntled employee) needs
to do is know the URL of the JSON service and then trick employees to
visit an external page under the attackers control.
Moreover, if HTTP auth and cookies are not supported, then how does
someone restrict access to their JSON service? For example, it is
common practice to use Kerberos to implement HTTP auth on intranets.
Backing up a second, I think what we need is a way to grant websites the
ability to control who may access their resources. It'd be ideal if the
browser had a way to ask the server for the list of hosts (or domains)
that are permitted to access it. I don't think this is a new idea as
several specifications have been attempted along these lines. Mozilla
even implements one of them for its SOAP and WSDL implementation.
More information about the whatwg