I’ve been reading Jeremiah Grossman’s great accounts of some JSON related cross site request forgery (CSRF) holes here and here. The basic pattern is that an AJAX website uses XmlHttpRequest to request some personal data that’s returned with JSON from a well known URL. You can’t use XmlHttpRequest from another domain to grab that data. But, <script> tags can load scripts cross domain. In the cases mentioned, people found ways to make the JSON returned valid in a script tag and get to it. It’s really interesting that <script> tags have this different cross domain behavior. As Dare points out, this behavior of <script> tags is one thing that’s making JSON more popular on the web. The web security model has evolved in a very interesting way. Things like the <script> tag behavior allow people to make cross site web APIs used for cool mashups, but also can be the cause of nasty security holes.