If I recall correctly, this was done to help address information
leakage. Meaning if you're logged into a web application and also
visiting a page on another website, that other page could have a script
tag pointing at your web application, resulting in that data being added
to the page scope, which other scripts on that page could then read.
Having the resulting json data wrapped in a comment prevents that data
from being automatically executed by the browser and added to scope, but
doesn't prevent valid XHR requests (which enforce the same-host policy)
from getting the result, stripping off a few characters and the exec'ing
to get the data.
So by "resolving" this "issue" you've just made all apps built on top of
it less secure.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
