Hallvord R M Steen
hallvors at gmail.com
Wed Mar 15 23:58:08 PST 2006
On 3/11/06, Jim Ley <jim.ley at gmail.com> wrote:
> Accessing JSON resources on a local intranet which are
> secured by nothing more than the requesting IP address.
While this is a valid concern I think the conclusion "no *new*
security vulnerabilities" is correct. If you today embed data on an
SCRIPT tag and steal the data.
Of course if this is implemented in UAs, it will encourage intranets
to publish JSONRequest services, so the situation may well get worse.
> The "not ok" needs to be refined to deal with proxy caches that may
> return other codes, e.g. 304 or 206.
> The cache rules are unworkable, please remove these and use standard
> HTTP methods for suggesting the cacheability of a resource, forcing
> them to be uncacheable is unworkable w.r.t. to proxy caches and
> extremely unwelcome within the browser.
You missed the fact that every request in this proposal seems to be a
POST request. No UA or proxy should cache POST anyway.
Hallvord R. M. Steen
More information about the whatwg