[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Maximally Consumable Data
If I want to consume a web service which offers XML, then I'm forced to go to my server, request the XML to be sent to it, and then deliver it client side (or is there a better way?). If I do it this way, where is the gain in security? Manfred On 07/04/2008, bryan rasmussen <rasmussen.bryan@g...> wrote: > anyway it is a security hazard because when you do that the script > executes when you get it, That you are getting JSON in this way does > not change the fact that you are allowing a JavaScript to execute > inside of your client side application spac, opening up for all sorts > of attacks. However there is some interesting work being done that > may, at some point, allow one to get around this problem - look at > CAJA. However currently I stand be earlier statement that the XML is a > better solution because of better security control of data entering > into the application. > > Cheers, > > Bryan Rasmussen > > > On Mon, Apr 7, 2008 at 8:18 PM, Costello, Roger L. <costello@m...> wrote: > > Hi Mukul, > > > > > > > IMHO, what's different (great) about this scenario? > > > > I need to give more detail about how it works. > > > > A JavaScript Ajax application that is running in a browser can only > > fetch data from the domain that it came from. It does this using the > > XMLHttpRequest object. > > > > Quoting now from Bulletproof Ajax: > > > > "We can't use XMLHttpRequest to access the Web APIs offered by so many > > sites these days. That's a real shame because most APIs return their > > data in XML, which would be available in responseXML. > > > > The script element has no such security restrictions. It's possible to > > access a JavaScript file from another domain in this way: > > > > <script type="text/javascript" > > > > src="http://www.xfront.com/us_states/json/javascript/us_states.js"></sc > > ript> > > > > If you can request a JavaScript file from another domain, then you can > > also request a JSON file. Remember, JSON is nothing more than > > JavaScript." > > > > -- the author shows how this can be generated dynamically -- > > > > Thus, through this technique, the JavaScript running in your browser > > can pull in data from any web service that serves up JSON (such as the > > Yahoo web services). > > > > /Roger > > > > > > > > _______________________________________________________________________ > > > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > > to support XML implementation and development. To minimize > > spam in the archives, you must subscribe before posting. > > > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > > Or unsubscribe: xml-dev-unsubscribe@l... > > subscribe: xml-dev-subscribe@l... > > List archive: http://lists.xml.org/archives/xml-dev/ > > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > > > > > > _______________________________________________________________________ > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > to support XML implementation and development. To minimize > spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@l... > subscribe: xml-dev-subscribe@l... > List archive: http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|