Comments on: JSONRequest: Proposal for Cross-Domain Browser Service

By: Mark Holton

Mark Holton — Wed, 18 Jul 2007 05:43:57 +0000

…I’d love to see this get implemented

By: William Siebler

William Siebler — Mon, 30 Oct 2006 03:30:42 +0000

Sounds like a great to me.

By: services

services — Thu, 26 Oct 2006 19:11:42 +0000

I felt good about this post. It confirmed for me some of the things Iâ€™ve been thinking about.

By: mr skin

mr skin — Wed, 25 Oct 2006 05:22:37 +0000

Deja Vu looks pretty interesting. Kilmer and Denzel are some of my favorite actors.

By: Software As She’s Developed - The Ajax Experience, May, 2006 (SF) Wrapup

Software As She’s Developed - The Ajax Experience, May, 2006 (SF) Wrapup — Wed, 17 May 2006 11:07:50 +0000

[...] Speaking of Douglas Crockford, a few people mentioned his JSONRequest spec, which I blogged a couple of months back on Ajaxian. This is gaining momentum – Brendan is bullish and mentioned that it’s trivial to implement – though Laurel (IE) didn’t say too much. Hey, even if it’s only in Firefox, we’re going to see some cool apps come out of it. The basic idea is a safe cross-domain caller (no cookie transfer). [...]

By: Out of Hanwell

Out of Hanwell — Mon, 13 Mar 2006 17:42:00 +0000

JSONRequest Proposal

Although the idea is (generally) a good one, I have some suggestions for improvement of Douglas Crockford’s recent proposal for an XMLHttpRequest equivalent for JSON.

The overloads for the JSONRequest function are confusing, and the parameter n…

By: Hugh

Hugh — Sun, 12 Mar 2006 18:10:39 +0000

The full duplex functionality mentioned in the JSONRequest spec would be a very welcome addition to XmlHttpRequest as well. The current RPC-styled HTTP interaction is very limiting to web applications and leads to a great waste of bandwidth and adds too much latency to each call.

By: Hugh

Hugh — Sun, 12 Mar 2006 17:44:43 +0000

I think the spec is a good start, but a lot things still have to be hashed out. For example, I could do without these arbitrary limits propsed:

“Limits
There is a length limit on JSON texts of 250,000 Unicode characters. This limit is enforced in both directions. A request that exceeds the limit fails. In the worst case, 250,000 Unicode characters can consume 999,988 bytes.
JSON structures can be nested. A body with a nesting depth of 20 or more will be rejected.”

Also, the random delay thing to prevent timing analysis attacks don’t belong in the spec at all. This would provide little if no security above SSL at the expense of complicating any potential implementation.

All and all, it’s a good first draft. More debate is required.

By: Andy

Andy — Sun, 12 Mar 2006 01:40:19 +0000

UTF-8 seems more like a play to avoid legacy stuff, by mandating a more modern, consistent method of encoding. By doing so, problems, security or otherwise, that might crop up in older implementations or in support code for older implementations are mitigated. I suspect that many security problems come from ambiguous requirements or specifications. By not having anything ambiguous, that leaves on less possible hole.

By: Stephen Clay

Stephen Clay — Sun, 12 Mar 2006 00:14:14 +0000

I’m trying to boil this down: Essentially JSONRequest would allow pages on domain A to exchange with domain B without having to give B access to A’s cookies/HTTP auth headers..? As I understand it this currently can’t be done with current methods like dynamically creating SCRIPT elements..? What I don’t completely get is what inherent security there is in strictly enforcing scriptly UTF-8 JSON data. Of course the timeout feature is nice too, emulating data push from the server.

By: Stephen Clay

Stephen Clay — Sun, 12 Mar 2006 00:11:18 +0000

I’m trying to boil this down: JSONRequest would allow pages on domain A to exchange with domain B without having to give B access to A’s cookies/HTTP auth headers. As I understand it this currently can’t be done with current methods like dynamically creating SCRIPT elements..? True? What I don’t completely get is what inherent security there is in strictly enforcing scriptly UTF-8 JSON data.