On 2007-06-04, at 11:24 EDT, Henry Minsky wrote:
JSON will of course parse directly using eval() in DHTML.
Loading of JSON also is currently free of the
security restrictions that XMLHTTPRequest has , which allows the
client more
power to access 3rd party services without
needing to go through a proxy server on the host from which the app
was
loaded (which could be a good thing or bad thing, depending on how you
feel...)
Most likely a bad thing, as discussed [here](http://
www.fortifysoftware.com/advisory.jsp).
For that reason, we probably want to use Oliver's parser for both
runtimes, and want to ensure the json data is _not_ directly
evaluable, as previously discussed in this thread:
On 2007-04-03, at 07:06 EDT, P T Withington wrote:
1) Your server has to protect itself from [CSRF](http://
en.wikipedia.org/wiki/Cross-site_request_forgery) attacks.
2) You should not deliver your data as executable code, since
anyone could then load it using a <script> tag.
[...]
As annoying as it is, using Flash allows you to be more secure.
Because it enforces a cross-domain policy on both data and code.
DHTML only enforces such a policy on data. Hence, if you deliver
your data as code, you run the risk of it being stolen.
