[thelist] ajax, javascript libraries - security.

[trevor]

thanks for the info guys, it helps a lot.

the stuff i have been reading has reinforced things you both said.

this article at  ibm was good for me, it started with the basics and 
included lots of resources:
http://www-128.ibm.com/developerworks/library/x-securemashups/

ok well, if i'm grasping the pro's and cons, then:
-   for totally public info, as in, to expose it as a kind of "data api" for 
re-use by other websites,  then json offers distinct advantages.   but those 
advantages turn quickly into security problems if i'm dealing with private 
data, between server and browser.  in these cases it's a much safer bet to 
use a more strictly implemeted data format, such as xml, or just use json in 
such a way as to deny any behaviours.
- or also - if i'm on the "receiving" end of some external json (the masher, 
not the mashee), then there is this huge issue of trust toward the source of 
the json-with-behaviour.   if  "mega-corp" who happens to offer json with 
behaviour,  suddenly and quietly decides to start collecting data (or 
something)  within that behaviour, then that is a big risk.

what do you think, am i off base?

could you please shed some light about this too - the defensive concept to 
include a line of code such as:  while(1)    at the start of the json 
object, in order to throw an "evil observer's" computer into a loop.

 i don't get that.  because  --  if the "legitimate" javascript knows enough 
to remove that line of code before implementing the object behaviour,  then 
what is to stop the "evil observer" from simply  inspecting the legitimate 
code, identifying the process to remove the while(1) statement, and then 
adding that removal process to their own "evil" observation code??

hope that question makes sense   :)
thanks again guys, take care