Preliminary Community Review: text/json

[Graham Klyne]

Douglas Crockford wrote:
> This is notice of a potential media type registration. 
> The details may be found here:
> 
> http://www.ietf.org/internet-drafts/draft-crockford-jsonorg-json-02.txt
> 

I have some limited experience of using JSON with TurboGears, and I think this
registration is useful and appropriate.  I haven't read the technical spec in
great detail, but didn't see any major problems on cursory reading.

However, I think there is an important issue that is missing from the security
considerations:

Because JSON is a subset of Javascript, and is sometimes used as a way of
communicating information to Javascript programs, there is a possibility for
implementers to simply treat the JSON expressions directly as Javascript source
code (e.g. via Javascript eval()).  This is safe if the expression is known to
conform the the JSON specification, but if this is not checked there is a
possibility that executable code inject side effects into a running Javascript
program.  Therefore, applications that receive JSON expressions need to ensure
that they are processed in such a way that ill-formed expressions have no
possibility of causing unexpected side effects or distorting the information
that is displayed to users.

There is one other thing I noticed.  The proposed MIME type is text/json.  I
think that, based on comments I have seen made previously, that application/json
would be more appropriate.  My understanding is that text/... is intended for
textual information that is suitable for display to a general human audience;
e.g., it has been suggested that text/html was a mistake, which should not be
repeated.

#g

-- 
Graham Klyne
For email:
http://www.ninebynine.org/#Contact