On Thu, Mar 13, 2008 at 6:41 AM, KH <[EMAIL PROTECTED]> wrote: > The only /real/ vulnerability to JSON - as I understand it, and I could be > wrong - is when you read JSON from untrusted hosts. JSON doesn't have the > requirement like XML does that the response come the from the same host that > you requested it from - and this where some of the cross-site scripting > exploits come in to play (as I understand it). But I'm sure there are some > pretty good ways of mitigating that risk. The two ways I can think of off > the top of my head are: including a sha-1 challenge in every request, and > sha-1 response with the returned data; or just crypt every data field with a > cheap encryption scheme using a certificate you push to the client. > Actually, I just read a great article on pushing certs to the client: > http://drnicwilliams.com/2008/02/22/zero-sign-on-with-client-certificates/
This is incorrect, you can read XML and JSON from 3rd party domains if you know how to instruct the browser to do it. The browser will only limit host if you use XmlHttpRequest as the transport. The format of the data has nothing to do with the security rules applied to transport. If you try to do an XmlHttpRequest to a different domain, it will fail. It doesn't know anything at all about the format - you can send anything: plain text, html, JSON, PHP Serialization. To handle cross-domain requests, you can use an iframe transport and it will work for any other domain, regardless of the wireformat. Cross-site scripting is a completely different beast, though. The real core issue is that relying on the browser to always do what you want is not a good idea, much like trusting the referrer headers. Just don't. Code responsibly, and JSON and XML are both equal in this regard - done responsibly the only difference is personal taste. -J _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
