@Juilan, believe me I was on the JSON secuirty issue more than once with Mr Crockford.
The issue I have pointed out is that one can have whole functions as symbol names in JSON. And then execute them with an inoccently looking "sleeper" On Jan 7, 2:49 pm, Julian Aubourg <aubourg.jul...@gmail.com> wrote: > What I'm worried about is attacks on existing pages. > > So far, in jQuery, executing javascript was borded to conscious actions by > devs: > - inserting HTML in the document (ajax doesn't execute embedded script > automagically), > - jsonp, > - specific ajax wrappers (getScript, load) or cross-domain access to scripts > (what getScript hides). > > (I may forget some) > > With the change you landed, any cross-domain ajax request through xhr that > doesn't specify the dataType (expecting text or xml as of 1.3) can be > tricked by a third party into executing code (since, as of 1.4 latest, all > the server has to do is to specify an application/javascript content-type). > > I'm not against it per se, you know I'm a big fan of jsonp and cross-domain > madness, but this particular situation seems a bit dangerous to me. > > 2010/1/7 John Resig <jere...@gmail.com> > > > > > > btw, I also saw you landed an auto-fetching for script (FYI, I > > > "synchronized" the rewrite with latest changes, including javascript > > > auto-execution) but I believe it is just plain wrong to let the server > > > decide of what should be executed client-side (especially with > > cross-domain > > > xhr getting more widespread). Protected JSON decoding is fine by me but > > > javascript silently getting executed seems like a hell of a hole. > > > If you're worried about JavaScript coming to the client and executing > > there's little that jQuery can do to try and stop it - especially > > since script tags could be injected into raw HTML and get inserted > > into a site. If you're worried about auto-executing script then you > > should also be worried about getScript and .load(). > > > --John > > > -- > > You received this message because you are subscribed to the Google Groups > > "jQuery Development" group. > > To post to this group, send email to jquery-...@googlegroups.com. > > To unsubscribe from this group, send email to > > jquery-dev+unsubscr...@googlegroups.com<jquery-dev%2bunsubscr...@googlegrou > > ps.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/jquery-dev?hl=en.
-- You received this message because you are subscribed to the Google Groups "jQuery Development" group. To post to this group, send email to jquery-...@googlegroups.com. To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.
