jim.ley at gmail.com
Mon Mar 13 10:42:00 PST 2006
On 3/13/06, Darin Fisher <darin at meer.net> wrote:
> Moreover, if HTTP auth and cookies are not supported, then how does
> someone restrict access to their JSON service? For example, it is
> common practice to use Kerberos to implement HTTP auth on intranets.
If you know you might be susceptible to the intranet attack, then all
you need to do is use SSL and have the security within the JSON
string, of course doing this opens you up to seperate problems, and
it's far from easy.
> I don't think this is a new idea as
> several specifications have been attempted along these lines. Mozilla
> even implements one of them for its SOAP and WSDL implementation.
Yep, whilst I'm not overly happy with the approach, it's certainly
better than the let's hope people don't know our urls of the above
More information about the whatwg