JSON: Difference between revisions

Content deleted Content added

Inline

Revision as of 10:28, 23 February 2008

JSON (JavaScript Object Notation) (Template:PronEng, like Jason) is a lightweight computer data interchange format. It is a text-based, human-readable format for representing simple data structures and associative arrays (called objects). The JSON format is specified in RFC 4627 by Douglas Crockford. The official Internet media type for JSON is application/json. The JSON file extension is .json.

The JSON format is often used for transmitting structured data over a network connection in a process called serialization. Its main application is in Ajax web application programming, where it serves as an alternative to the traditional use of the XML format.

Although JSON was based on a subset of the JavaScript programming language (specifically, Standard ECMA-262 3rd Edition—December 1999^[1]) and is commonly used with that language, it is considered to be a language-independent data format. Code for parsing and generating JSON data is readily available for a large variety of programming languages. The json.org website provides a comprehensive listing of existing JSON bindings, organized by language.

In December 2005, Yahoo! began offering some of its Web Services optionally in JSON.^[2] Google started offering JSON feeds for its GData web protocol in December 2006.^[3]

Supported data types, syntax and example

JSON's basic types are

Number (integer, real, or floating point)
String (double-quoted Unicode with backslash escapement)
Boolean (true and false)
Array (an ordered sequence of values, comma-separated and enclosed in square brackets)
Object (collection of key/value pairs, comma-separated and enclosed in curly brackets)
null

The following example shows the JSON representation of an object that describes a person. The object has string fields for first name and last name, contains an object representing the person's address, and contains a list of phone numbers (an array).

 {
     "firstName": "John",
     "lastName": "Smith",
     "address": {
         "streetAddress": "21 2nd Street",
         "city": "New York",
         "state": "NY",
         "postalCode": 10021
     },
     "phoneNumbers": [
         "212 732-1234",
         "646 123-4567"
     ]
 }

Suppose the above text is contained in the JavaScript string variable JSON_text. Since JSON is a subset of JavaScript's object literal notation, one can then recreate the object describing John Smith with a simple eval():

 var p = eval("(" + JSON_text + ")");

and the fields p.firstName, p.address.city, p.phoneNumbers[0] etc. are then accessible. Parentheses are necessary because bare objects are not valid JavaScript.

In general, eval() should only be used to parse JSON if the source of the JSON-formatted text is completely trusted; the execution of untrusted code is obviously dangerous. JSON parsers are available to process JSON input from less trusted sources.

Using JSON in Ajax

The following Javascript code shows how the client can use an XMLHttpRequest to request an object in JSON format from the server. (The server-side programming is omitted; it has to be set up to respond to requests at url with a JSON-formatted string.)

var the_object;
var http_request = new XMLHttpRequest();
http_request.open( "GET", url, true );
http_request.onreadystatechange = function () {
    if ( http_request.readyState == 4 ) {
        if ( http_request.status == 200 ) {
            the_object = eval( "(" + http_request.responseText + ")" );
        } else {
            alert( "There was a problem with the URL." );
        }
        http_request = null;
    }
};

Note that the use of XMLHttpRequest in this example is not cross-browser compatible; syntactic variations are available for Internet Explorer, Opera, Safari, and Mozilla-based browsers. The usefulness of XMLHttpRequest is limited by the same origin policy: the URL replying to the request must reside within the same DNS domain as the server that hosts the page containing the request. Alternatively, the JSONP approach incorporates the use of an encoded callback function passed between the client and server to allow the client to load JSON-encoded data from third-party domains and to notify the caller function upon completion, although this imposes some security risks and additional requirements upon the server.

Browsers can also use <iframe> elements to asynchronously request JSON data in a cross-browser fashion, or use simple <form action="url_to_cgi_script" target="name_of_hidden_iframe"> submissions. These approaches were prevalent prior to the advent of widespread support for XMLHttpRequest.

Dynamic <script> tags can also be used to transport JSON data. With this technique it is possible to get around the overly restrictive same origin policy but it is insecure. JSONRequest has been proposed as a safer alternative.

Security issues

Although JSON is intended as a data serialization format, its design as a subset of the JavaScript programming language poses several security concerns. These concerns center on the use of a JavaScript interpreter to dynamically execute JSON text as JavaScript, thus exposing a program to errant or malicious script contained therein -- often a chief concern when dealing with data retrieved from the internet. While not the only way to process JSON, it is an easy and popular technique, stemming from JSON's design to be compatible with JavaScript's eval() function, and illustrated by the preceding code examples.

JavaScript `eval()`

Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function. Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data to produce native JavaScript objects. This technique relies on intentionally misrepresenting the format of the input text as being JavaScript rather than JSON.

Using the eval technique can be safe as long as everything, including both the JSON data and the entire JavaScript environment, is within the control of a single trusted source. In a web browser environment, however, this unified trust of all the components does not exist, allowing security to be breached. If the JSON data is itself not trusted, it would be possible to embed rogue JavaScript code inside the supposed JSON data. In addition, if the entire JavaScript environment is not trusted (including all the code loaded into the environment), then it is theoretically possible to intercept the evaluation of the JSON data.

The parseJSON method is a safe alternative to eval. It will likely be included in the Fourth Edition of the ECMAScript standard. It is available now as a JavaScript library at http://www.JSON.org/json2.js

Cross-site request forgery

Naive deployments of JSON are subject to cross-site request forgery attacks (CSRF or XSRF).^[4] Because the HTML <script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to another site. This will allow the JSON-encoded data to be evaluated in the context of the malicious page, possibly divulging passwords or other sensitive data if the user is currently logged into the other site.

A weak attempt to dodge this class of attacks involves wrapping or otherwise altering the JSON-formatted data so that it cannot be interpreted as valid JavaScript code. For example, wrapping the JSON-formatted text, such as inside a multi-line JavaScript comment (/* ... */), and then unwrapping it before parsing it. This is trivial to circumvent and cannot be considered a security measure.

A better method is to send as part of the HTTP request a magic cookie that can identify a legitimate session. This cannot be a HTTP cookie, since these will be sent by the browser as usual. A supplementary defense is to set the web server to refuse to serve JSON when an HTTP referer is different from the trusted site.

Comparison with other formats

XML

XML is often used to describe structured data and to serialize objects. Unlike JSON, however, which is simply a way to represent data structures, XML is a complete markup language. This makes XML more complex than JSON, which is specifically designed as a data interchange format, not a markup language. Both lack a rich (i.e., explicit) mechanism for representing large binary data types such as image data (although binary data can be stringified for both by converting to a base64 or similar representation).

YAML

Both functionally and syntactically, JSON is effectively a subset of YAML. Notably, the most widespread YAML library also parses JSON^[5]. Strictly speaking, the syntax is not quite a perfect subset, primarily because YAML lacks native handling of some extended character sets allowed in JSON (e.g. unicode like UTF-32) and requires comma separators to be followed by a space. The most distinguishing point of comparison is that YAML offers the following syntax enrichments which have no corresponding expression in JSON:

Relational:: YAML offers syntax for relational data: rather than repeating identical data later in a document, a YAML document can refer to an anchor earlier in the file/stream. Recursive structures (for example, an array containing itself) can be expressed this way.^[6]
Extensible:: YAML also offers extensible data types beyond primitives (i.e beyond strings, floats, ints, bools) which can include class-type declarations or Unicode types
Blocks:: YAML uses a block-indent syntax to allow formatting of structured data without use of additional characters (ie: braces, brackets, qutotation marks, etc.).

References

^ "Introducing JSON". json.org.
^ Yahoo!. "Using JSON with Yahoo! Web services".
^ Google. "Using JSON with Google Data APIs". {{cite web}}: |author= has generic name (help)
^ Advanced Web Attack Techniques using GMail – Jeremiah Grossman, WhiteHat Security
^ YAML is JSON, RedHanded, 08 Apr 2005.
^ For example, a film data base might list actors (and their attributes) under a Movie's cast, and also list Movies (and their attributes) under an Actor's portfolio.

External links

www.json.org: the original specification, documentation, and list of implementations for many different programming languages.
RFC 4627, current formal JSON specification.
JSONRequest
Relationship between JSON and YAML
Ric Johnson's JSON blog
JSON Formatter, an online JSON formatter
My JSON editor, an online tree-based JSON editor
The Limitations of JSON
JsonT JSON analog to XSLT
Yahoo JSON

Tutorials

AJAX without XML Compares using XML, JavaScript Objects, and JSON
Speeding Up AJAX with JSON Demos how it is easier to reference JSON rather than XML.
An Introduction to JSON by Daniel Rubio
JSON AJAX Chat Tutorial Simple tutorial that shows how to create a dynamic web chat
JSON/AJAX/PHP Simple tutorial and code libraries
Accelerating AJAX based Web Client Development with JSON and GWT Simple tutorial and code for JSON usage with GWT
JSON in JavaScript without eval() - the proper way JavaScript & JSON, PHP & JSON & some considerations

[1] "Introducing JSON". json.org.

[yahoo-2] Yahoo!. "Using JSON with Yahoo! Web services".

[Google-3] Google. "Using JSON with Google Data APIs". {{cite web}}: |author= has generic name (help)

[4] Advanced Web Attack Techniques using GMail – Jeremiah Grossman, WhiteHat Security

[5] YAML is JSON, RedHanded, 08 Apr 2005.

[6] For example, a film data base might list actors (and their attributes) under a Movie's cast, and also list Movies (and their attributes) under an Actor's portfolio.

[1]

[2]

[3]

[4]

[5]

[6]

@@ Line 124: / Line 124: @@
 *[http://www.json.com/ Ric Johnson's JSON blog]
 *[http://www.curiousconcept.com/jsonformatter/ JSON Formatter], an online JSON formatter
+*[http://www.thomasfrank.se/downloadableJS/JSONeditor_example.html My JSON editor], an online tree-based JSON editor
 *[http://blogs.sun.com/bblfish/entry/the_limitations_of_json The Limitations of JSON]
 *[http://goessner.net/articles/jsont/ JsonT] JSON analog to [[XSLT]]