The JSONRequest does only one thing: It exchanges data between scripts on pages
with JSON servers in the web. It provides this highly valuable service while
introducing no new security vulnerabilities.
A browser within a filewall may have the capability to interact with a server
(penzance.org). Computers on the outside do not have that capability. Can a
computer on the outside (pirate.net) cause a browser to act as its agent in
interacting with an internal server?
Current, XMLHttpRequest does not allow a script from a page from pirate.net to
connect to penzance.org because of the Same Origin Policy.
JSONRequest does allow the connection, but with some limitations:
The method is POST
The Content-Type is application/json.
The POST body data will be in JSON format.
The response data will be in JSON format.
The character encoding in both directions will be UTF-8, strictly enforced.
Does this allow improperly secured applications to be accessed?
Application that are looking for GET cannot be accessed because JSONRequest
only uses POST.
Responses which are not JSON text will not be delivered to the requesting
script.
This is sufficient to protect most legacy applications.
But what of legacy applications that accept POST. Could JSONRequest be used to
improperly POST to these applications, thereby corrupting databases?
JSONRequest mitigates this danger:
The POST data is in JSON format, so as seen by conventional web
applications, the first form field name will have a [" or {" prefix, which may
cause a fault.
Cookies and HTTP authentication are not sent.
Contrast this to form.submit, which can send a conventional POST body and
cookies and HTTP authentication. JSONRequest is more secure than the
form.submit feature which is currently implemented everywhere. By switching to
a policy of responding only to well-formatted JSONRequest, applications can be
made more secure.
When applications are designed to use JSONRequest, they can take advantage of
the Domain HTTP header field which identifies the source of the page. This can
be used to determine the origin of the page making the request, which can be
useful to know when making access decisions.
http://json.org/JSONRequest.html
