Jon Ferraiolo wrote:
> You failed to reply to the XSLT and XBL remarks that the JSON thingie
> does not address. These are important use cases.
IMO the JSON use case is a couple of orders of magnitude more important
than the XSLT or XBL requirements. JSON is a primary format for
cross-site data exchange today, and is likely to grow in usage in the
coming years as more people discover its virtues.
It's very hard to do a fair comparison between JSON and cross-site XHR
given that only JSON actually works today. So of course it's going to be
the primary format today.
Overall, I would prefer it if browsers would adopt JSONRequest rather
than Access Control. JSONRequest was designed carefully from a security
perspective, such as the random delay feature. It achieves its results
*without* sending cookies (the cookie feature in Access Control scares
lots of us because of CSRF issues). I recognize that the WAF committee
has spent lots of time and effort on the existing Access Control, but I
think the community would be better served by having browsers implement
JSONRequest instead. (JSONRequest would be even better if it allowed XML
data in addition to JSON data.)
I'm not sure why you think there's an either-or scenario here. Firefox 3
will most likely support both JSONRequest (or some variant thereof, I'm
not directly working on that part) as well as cross-site XHR using
access-control.
A lot of people has said that sending cookies and auth credentials
'scares' them, however no one has been able to show that it does in fact
introduce new attack vectors.
I'm also very curious to hear how JSONRequest intends to do
authentication without sending cookies or auth credentials. Does it work
with existing deployed servers? Can I write a CGI script on an existing
apache server, or an ASP page on an existing IIS server that
authenticates the JSONRequest?
For XSLT and XBL, shouldn't browsers allow cross-site (GET) access in
the same way it does for CSS stylesheets and SCRIPT tags?
Now *that* if anything would introduce new attack vectors, no? I
personally hate the fact that CSS and SCRIPT can load data cross site
and I would love to disable that ability in firefox and replace it with
something more secure. Unfortunately that would break the web :(
/ Jonas
