March 6, 2007
@ 03:33 PM

The hottest story on Planet Intertwingly today is Rob Yates' blog post entitled Safe JSON which goes over a number of security issues one can face when exposing services using JSON. He goes ahead to describe the following approaches

Approach 1 - Plain JSON: Simply return JSON

Approach 2 - var assignment: Assign the JSON object to some variable that can then be accessed by the embedding application (not an approach used by Yahoo).

Approach 3 - function callback: When calling the JSON Web Service pass as a parameter a callback function.  The resulting JSON response passes the JSON object as a parameter to this callback function.

There are a number of good responses in the comments. The only thing I wanted to point out is that only Approach 1 can really be called using JSON. The other two are "accepting arbitrary code from a third party and executing it" which is such a ridiculously bad idea that we really need to stop talking about it in civilized company. It seems silly to point out specific security or privacy issues with using that approach when the entire concept of building Web services in that manner is fundamentally insecure and downright dangerous.

PS: It looks like Rob Sayre beat me to saying this. :)