"I have a mind like a steel... uh... thingy." Patrick Logan's weblog.

Search This Blog

Wednesday, August 22, 2007

JSON Security

Interesting posts and comments on json and security in browsers: robubu and resig. Boils down to: "browser security pretty much sucks no matter what" and "if your json parser relies on eval(), you are a fool, no matter how fast it is".

As Patrick Mueller commented...

Approach 2 and 3 should, simply, NEVER, EVER, EVER be used. There are plenty of libraries available today to parse JSON data structures, and none of them will EVER, EVER be able to read the whacked out Approach 2 and 3 styles. EVER.

Data, baby, data!

JSON is data. There is no way any bit of it should ever be treated as code. Some day browsers will become real platforms for applications and we will laugh at all this.

That seems a long way off.

No comments:

Blog Archive

About Me

Portland, Oregon, United States
I'm usually writing from my favorite location on the planet, the pacific northwest of the u.s. I write for myself only and unless otherwise specified my posts here should not be taken as representing an official position of my employer. Contact me at my gee mail account, username patrickdlogan.