[whatwg] JSONRequest

Jim Ley jim.ley at gmail.com
Thu Mar 16 11:04:43 PST 2006

On 3/16/06, Hallvord R M Steen <hallvors at gmail.com> wrote:
> > > If you today embed data on an
> > > intranet in JavaScript I can create a page that loads that script in a
> > > SCRIPT tag and steal the data.
> >
> > Could you please describe how exactly?  the contents of remote script
> > elements are not typically available (and if they are it's a large
> > security hole today) unless valid javascript objects are produced to
> > be queried, that is not the case with bare JSON.
> You are right, if no variables are created one can't see the data by
> loading it in a  SCRIPT tag. Are you aware of intranets/CMSes that use
> this as a security mechanism?

Yes, I've shipped systems, and seen many others where the only
protection on the internal side is IP based, and use JSON data
retrieved by XHR and new Function'd into JS objects.  It's quite
common in fact.



More information about the whatwg mailing list