[whatwg] JSONRequest

Gervase Markham gerv at mozilla.org
Thu Mar 16 13:13:43 PST 2006


Hallvord R M Steen wrote:
> You are right, if no variables are created one can't see the data by
> loading it in a  SCRIPT tag. Are you aware of intranets/CMSes that use
> this as a security mechanism?

That's not actually right. I'm pretty sure this came across a public
security list, so...

You can override the constructor on the prototype of the Object object
and get access to JSON objects before the JavaScript engine throws them
away when it realises they don't get assigned to a variable.

Or something like that, anyway. I can't remember exactly how it worked.
But I'm pretty sure that it's true that you can get JSON data if it's
not protected.

Gerv



More information about the whatwg mailing list