
Web 2.0 is vulnerable to attack (nasty AJAX/JSON exploit) - nickb
http://www.cbronline.com/article_news.asp?guid=484BC88B-630F-4E74-94E9-8D89DD0E6606
======
brett
This article's not very clear on what's going on. Here's the actual advisory:
<http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf>

------
kogir
This is far from new, but it is a problem. Ironically, the old school SOAP 1.1
way of doing things (with a header and a post) is immune from this.

Also, correct me if I'm wrong, but isn't JSON and the script tag way of
calling things explicitly designed to DEFEAT the same origin policy? If the
entire point of your data transfer method is to make it possible for anyone to
request your data, you should only send data that everyone should be able to
see =P

------
far33d
It would be fun to take bets on which of the 12 toolkits will fix the
vulnerability first.

