http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 "The MochiKit framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking.""
Contacted upstream.
Upstream sez (http://groups.google.com/group/mochikit/t/e473d15b0e689054): > Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 > in the 1.3.1 branch? Nope. It's not a real security issue, not with MochiKit anyway. The recommended "fix" would mean supporting some junk that's not JSON anymore. I've already caved and put said support on the trunk just so people would shut up about the issue, but I'm certainly not going to make a maintenance release to "fix" this non-issue. Ensuring that your server only sends JSON when properly authenticated, or otherwise sending only non-exploitable JSON (e.g. JSON with an object envelope) is the only solution to this problem. Only a very small subset of JSON, specifically [array, envelope, json] is susceptible to this data leakage attack. Don't send that stuff on the server-side, and there is no problem. Most people don't send array envelope JSON anyhow. Either way, totally irrelevant to the client-side. It's like saying that we should fix browsers so that they can't be used to mount a SQL injection attack on a poorly written service. -bob