One question that hasn't come up much is the security impact of the
XDR *API* in likely deployments. I'd like to look at that a bit
more in this message...
Specifically, XDR is aiming at the kinds of cross-site data flows
for which we currently use cross-site script tags. I.e., the user
runs
[EMAIL PROTECTED]
Subject
XDR *API* Security Impact
On 2008-04-14 10:59:27 -0600, Kris Zyp wrote:
AFAIK, Crockford's json.js library is effective in validating
javascript such that JSON data can be properly executed without
allowing arbitrary code execution. In addition, I would be
surprised if we don't see native JSON evaluaters in browers
I don't know whether most modern devs are using JSON,
Yeah, I really don't have any data to back that up, I shouldn't make such
claims :). But I think it is safe to say that many devs use it.
More generically, I don't think that new cross-origin APIs that
just return a string (but are