I don't fully understand the blog post about the security problems. From what
I can see, you need to be able to render a mallicious script tag to be able to
intercept the JSON data. But if you are able to do that, there are much bigger
problems.
Indeed. If a malicious script can be injected, the DOM can be completely
controlled and intercepted no matter what kind of encoding is used for
the ajax response. However, the technique described in the blog means
that raw components of a JSON response which are not added to the DOM
can be intercepted by a malicious script by overloading array methods.
I am unconvinced that using xml responses solves this problem though.
Can't the javascript functions processing an xml response be overloaded
just as well to capture it?
