> -----Original Message----- > From: J. Shirley [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 13, 2008 11:51 AM > To: The elegant MVC web framework > Subject: Re: [Catalyst] Re: implementing ajax > > On Thu, Mar 13, 2008 at 6:41 AM, KH <[EMAIL PROTECTED]> wrote: > > The only /real/ vulnerability to JSON - as I understand it, and I > could be > > wrong - is when you read JSON from untrusted hosts. JSON doesn't > have the > > requirement like XML does that the response come the from the same > host that > > you requested it from - and this where some of the cross-site > scripting > > exploits come in to play (as I understand it). But I'm sure there > are some > > pretty good ways of mitigating that risk. The two ways I can think > of off > > the top of my head are: including a sha-1 challenge in every request, > and > > sha-1 response with the returned data; or just crypt every data field > with a > > cheap encryption scheme using a certificate you push to the client. > > Actually, I just read a great article on pushing certs to the client: > > http://drnicwilliams.com/2008/02/22/zero-sign-on-with-client- > certificates/ > > This is incorrect, you can read XML and JSON from 3rd party domains if > you know how to instruct the browser to do it. The browser will only > limit host if you use XmlHttpRequest as the transport. The format of > the data has nothing to do with the security rules applied to > transport. > > If you try to do an XmlHttpRequest to a different domain, it will > fail. It doesn't know anything at all about the format - you can send > anything: plain text, html, JSON, PHP Serialization. To handle > cross-domain requests, you can use an iframe transport and it will > work for any other domain, regardless of the wireformat. Cross-site > scripting is a completely different beast, though. > > The real core issue is that relying on the browser to always do what > you want is not a good idea, much like trusting the referrer headers. > Just don't. > > Code responsibly, and JSON and XML are both equal in this regard - > done responsibly the only difference is personal taste.
I'll have to concede to the greater knowledge levels of those around me. I guess JSON just scares me more because of how close it is to being eval-able by a malicious client and captured with a simple <script> tag. However, that's probably more a personal taste at this point. v/r -matt pitts _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
