[uf-rest] Introducing JAHAH
David Janes -- BlogMatrix
davidjanes at blogmatrix.com
Thu Jan 5 12:20:13 PST 2006
Dr. Ernie Prabhakar wrote:
> Hi David,
>
> On Jan 5, 2006, at 12:01 PM, David Janes -- BlogMatrix wrote:
>> ... I'm willing to put technology out there that exploits a hole -- or
>> rather "hole", as I think of it. If it JSON/JSONP/JAHAH take off, it's
>> actually easy to add a security bridge within the browser: only allow
>> pure string/dictionary/list/number/basic type definitions to be made
>> on a cross-site script load.
>
> I think the counter-argument to this is that, rather than requiring a
> security-sniffer to evaluate malicious code for security-safeness before
> 'actual' evaluation, far better to use a declarative data format and
> build a rigorous parser into the default library. No?
It can't be easily done, unless a new event is added to the DOM to "vet
this result". The SCRIPT load is a "real" browser action, so the trick
is to (maybe) place the result in a "playground" where what can happen
is moderately constrained. In particular, only a declarative data
structure can be constructed [1].
Sorry for the excessive number of quotes in the previous para.
Regards, etc...
David
[1] my thinking on this may evolve in the future.
More information about the microformats-rest
mailing list