Security limitations
For all its utility in crafting dynamic web applications, XMLHttpRequest (the underlying browser technology behind jQuery's Ajax implementation) is subject to strict boundaries. To prevent various cross-site scripting attacks
, it is not generally possible to request a document from a server other than the one that hosts the original page.
This is typically a positive situation. For example, some cite the implementation of JSON parsing by using eval()
as insecure. If malicious code is present in the data file, then it could be run by the eval() call. However, as the data file must reside on the same server as the web page itself, the ability to inject code in the data file is largely equivalent to the ability to inject code in the page directly. This means that, for the case of loading trusted JSON files, eval() is not a significant security concern.
Tip
When jQuery parses JSON, it avoids the use of eval() altogether. It first attempts to use the browser's native JSON...
