Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
DeWitt Clinton <dewitt@unto.net> Wed, 05 May 2010 18:50 UTC
Return-Path: <dewitt@unto.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26E743A6C45 for <oauth@core3.amsl.com>; Wed, 5 May 2010 11:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.376
X-Spam-Level:
X-Spam-Status: No, score=-3.376 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybfxU2renZV0 for <oauth@core3.amsl.com>; Wed, 5 May 2010 11:50:33 -0700 (PDT)
Received: from exprod7og127.obsmtp.com (exprod7og127.obsmtp.com [64.18.2.210]) by core3.amsl.com (Postfix) with SMTP id 6F0EA3A6C3D for <oauth@ietf.org>; Wed, 5 May 2010 11:50:32 -0700 (PDT)
Received: from source ([209.85.161.42]) by exprod7ob127.postini.com ([64.18.6.12]) with SMTP ID DSNKS+G962dHIvxlLCj8niIni18dZ19jizOQ@postini.com; Wed, 05 May 2010 11:50:19 PDT
Received: by fxm15 with SMTP id 15so4162750fxm.1 for <oauth@ietf.org>; Wed, 05 May 2010 11:50:18 -0700 (PDT)
Received: by 10.239.188.194 with SMTP id q2mr1504323hbh.36.1273085418194; Wed, 05 May 2010 11:50:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.239.162.68 with HTTP; Wed, 5 May 2010 11:49:58 -0700 (PDT)
In-Reply-To: <4BE1BB10.7060009@lodderstedt.net>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <z2yf5bedd151004291440g17693f8du9e19a649bef925e4@mail.gmail.com> <w2odaf5b9571004291509x8895a73k384a4b4ddb12b794@mail.gmail.com> <20100430105935.20255m8kdythy6sc@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723439323D0DB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTik3NSJynWfiNWovruPEOT2Y6G1zcWPFOaS_pHdy@mail.gmail.com> <4BE1AF25.7000308@lodderstedt.net> <AANLkTil2_9KOm1eRoC0jxvH99E55K3BEW-T5cgWLay9H@mail.gmail.com> <AANLkTilWV3VVBROXZuky5OLNzM2hz27pEqwG1l6W2Uc1@mail.gmail.com> <4BE1BB10.7060009@lodderstedt.net>
From: DeWitt Clinton <dewitt@unto.net>
Date: Wed, 05 May 2010 11:49:58 -0700
Message-ID: <w2v77facc501005051149pca35de47tfcca515a3b557c81@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001485f4507a1ec94e0485dd4cd5"
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2010 18:50:35 -0000
Having written more than one compliant JSON parser myself, it is most certainly not "trivial", and not something that can be safely done with a regular expression or other hacks. That said, it's not *hard*, and that alone is no reason not to mandate JSON, but I do want people to be clear about what mandating JSON means. Clients will need a fully compliant parser. Period. If the OAuth spec requires JSON, then it should require it by reference to RFC 4627, not just by giving some examples that demonstrate the curly braces. -DeWitt On Wed, May 5, 2010 at 11:38 AM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Am 05.05.2010 20:01, schrieb Evan Gilbert: > > > > On Wed, May 5, 2010 at 10:59 AM, Evan Gilbert <uidude@google.com> wrote: > >> >> >> On Wed, May 5, 2010 at 10:47 AM, Torsten Lodderstedt < >> torsten@lodderstedt.net> wrote: >> >>> Even if not supported directly by the platform there are many JSON >>> libraries available these days. >>> >> >> It's not hard to add JSON support, but it's a factor in the choice. >> >> >>> >>> http://www.json.org/ lists 3 libraries for Objective-C alone. >>> >>> Moreover, the JSON documents we are discussing now are simple, something >>> like >>> >>> >>> { "access_token": "SlAV32hkKG", "expires_in": "3600", "refresh_token": >>> "8xLOxBtZp8" } >>> >>> Parsing such a document is not a challenge even without library support. >>> >> >> Per notes above - the client needs to do understand form encoding anyway. >> The client needs to parse the redirect_uri and also needs to generate form >> encoded requests. >> > > Also, for the User-Agent flow, parsing potentially untrusted JSON in > JavaScript is difficult. The normal path of using eval() is unsafe and leads > to XSS holes - you need to run regex matcher to verify that the JSON content > has no executable code. > > > You are right, using eval to parse JSON is dangerous and thus as far as I > understand, the recommended way is to use a JSON parser (aka native JSON > support)? > > regards, > Torsten. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] application/x-www-form-urlencoded vs J… Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Richard Barnes
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … David Recordon
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Manger, James H
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Gaurav Rastogi
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Brian Eaton
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Manger, James H
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Allen Tom
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … David Recordon
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … DeWitt Clinton
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Greg Brail
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Luke Shepard
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Simone Gianni
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Greg Brail
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Brian Eaton