Saturday, March 11th, 2006p>Douglas Crockford, creator of JSON, has proposed that browsers include a new “JSONRequest” service to allow for safe cross-domain calls.
text, does an HTTP POST of that text, gets the response, and parses
the value to the requesting script. In making the request, no HTTP authentication or cookies are sent.
Any cookies returned by the server are discarded. The JSONRequest service
can only be used to send and receive JSON-encoded values. JSONRequest
cannot be used to retrieve documents or other texts.
JSONRequest is a global function. It takes four parameters:
be serialized as JSON text. Cyclical structures will fail.
done function (requestNumber, value, exception) The function to be called when the request is completed. If the request was successful, the function will receive the request number and the returned value. If it is not successful, it will receive the request number and an exception object. timeout number The number of milliseconds to wait for the response. This parameter is optional. The default is
It would be nice to have a safe component for cross-browser calls, though maybe an extension to XMLHttpRequest, not tied to a particular format like JSON, is preferable. Nevertheless, the article makes the case for a more constrained approach and lists several reasons why JSONRequest is safe enough for cross-domain requests:
- JSONRequest does not send or receive cookies or passwords in HTTP headers. This avoids false authorization situations. Knowing the name of a site does not grant the ability to use its browser credentials.
- JSONRequest works only with JSON text. The JSONRequest cannot be used to access legacy data or documents or scripts. This avoids attacks on internal websites which assume that access is sufficient authorization. A request will fail if the response is not perfectly UTF-8 encoded. Suboptimal aliases and surrogates will fail. A request will fail if the response is not strictly in JSON format. A request will fail if the server does not respond to POST with a JSON payload.
- JSONRequest reveals very little error information. In some cases, the goal of a miscreant is to access the information that can be obtained from an error message. JSONRequest does not return this information to the requesting script. It may provide the information to the user through a log or other mechanism, but not in a form that the script can ordinarily access.
- JSONRequest accumulates random delays before acting on new requests when previous requests have failed. This is to frustrate timing analysis attacks and denial of service attacks.
See Douglas’s article for all the motivation and technical details of the JSONRequest proposal.
Posted by Michael Mahemoff at 5:00 pm