[whatwg] JSONRequest

Jim Ley jim.ley at gmail.com
Fri Mar 17 06:06:11 PST 2006

On 3/16/06, Gervase Markham <gerv at mozilla.org> wrote:
> Hallvord R M Steen wrote:
> > You are right, if no variables are created one can't see the data by
> > loading it in a  SCRIPT tag. Are you aware of intranets/CMSes that use
> > this as a security mechanism?
> That's not actually right. I'm pretty sure this came across a public
> security list, so...
> You can override the constructor on the prototype of the Object object
> and get access to JSON objects before the JavaScript engine throws them
> away when it realises they don't get assigned to a variable.
> Or something like that, anyway. I can't remember exactly how it worked.
> But I'm pretty sure that it's true that you can get JSON data if it's
> not protected.

I can't reproduce this, in IE and Opera, there's no effect whatsover
playing with Object constructors, in Mozilla there is however it is
not called unless you have an expression:

{chicken:true} // doesn't call it.
donkey={chicken:true} // does call it.

Please can you provide more information on how raw JSON is available
from script elements?



More information about the whatwg mailing list