Quoting from http://www.sitepen.com/blog/2008/09/25/security-in-ajax/ "It is only possible to hijack JSON data with a root that is an array. When the root is a primitive, primitive values do not trigger a constructor. When the root is an object, it is not valid JavaScript syntax, and therefore can’t be parsed. No amount of environmental alterations can affect an unparseable script."
http://haacked.com/archive/2009/06/25/json-hijacking.aspx gets into a little more detail of what must be possible to exploit this. This is an issue that is tangential to your problem, but between the two of them, it makes more sense to deal with objects as the root of whatever is being sent over the wire than arrays. Note that if your server never sense a reply to a GET request, this might not be a problem for you, but I make a habit of always starting with an object to make sure no one ever accidentally adds a security flaw. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.