There's a fairly good discussion here; http://extjs.com/forum/archive/index.php/t-4047.html with several good links. The basic idea is to make it impossible to use eval() to get the data, so for instance the server could always put the JSON string between '/*' and '*/', which will make a comment out of the string, thus hiding it from any evaluation.
Another tack (I think Google did this last year in response to a phishing Cross-domain trick for gmail) is to prepend a 'for(;;);' , which runs the attacker in circles :) Cheers, PS On Feb 4, 2008 9:31 AM, Bertrand Delacretaz <[EMAIL PROTECTED]> wrote: > On Feb 4, 2008 9:20 AM, Peter Svensson <[EMAIL PROTECTED]> wrote: > > > ...If you/we use JSON, I might also suggest to wrap > > it in an error-inducing layer, to be stripped by the client before > eval(), > > to avoid JavaScript Cross-domain snooping.... > > Do you have a suggestion for this error inducing layer? Just a > constant String before the JSON data, or something more sophisticated? > > -Bertrand >
