Mashups combine different Web pages within a single view. But they are inherently insecure. "If there is script from two sources, it isn't secure," Crockford told attendees at last month's The Ajax Experience conference in Boston.
"Mashups are cool. Unfortunately, mashups are insecure. They have access to any confidential information," he said.
The cause of the problem
"The problem with mashups is that all scripts look the same to the browser. Virtually all languages suffer from the same problem," Crockford added. This was not anticipated by the original browser makers. "There was no idea in the past that mashups would exist," he said. And scripts that leak from one mashup module to another are a real issue.
While JSON has some inherent safety, developers can mis-apply it.
"A favorite way of misusing JSON is the Script Tag Hack," Crockford said. "Scripts, strangely, are exempt from the Same Origin Policy."
[Going back to Netscape Navigator 2.0, the Same Origin Policy prevents browser documents from one origin from getting or setting properties of a document from a different origin.]
Crockford also advised developers not to wrap JSON text in comments. In turn, he recommended that developers use the string.parseJSON method. When this parsing is employed, "evil script" will cause a syntax error exception. That is preferable to some nefarious alternatives.