JSONThe x in Ajax

Douglas Crockford

Yahoo! Inc.

Languages

• Arabic Chinese Czech English French German Greek Hebrew Indonesian Italian Japanese Korean Persian Polish Portuguese Russian Slovenian Spanish Turkish

Languages

• ASP ActionScript C C++ C# Cold Fusion D Delphi E Erlang Haskell Java JavaScript Lasso Lisp LotusScript Lua Objective C Objective CAML OpenLaszlo Perl PHP Pike PowerShell Prolog Python REALbasic Rebol Ruby Squeak

Object Quasi-Literals

• JavaScript

• Python

• NewtonScript

Values

• Strings

• Numbers

• Booleans

• Objects

• Arrays

• null

Value

Strings

• Sequence of 0 or more Unicode characters

• No separate character type

A character is represented as a string with a length of 1

• Wrapped in "double quotes"• Backslash escapement

String

Numbers

• Integer

• Real

• Scientific

• No octal or hex

• No NaN or InfinityUse null instead

Number

Booleans• true• false

null• A value that isn't anything

Object

• Objects are unordered containers of key/value pairs

• Objects are wrapped in { }• , separates key/value pairs

• : separates keys and values

• Keys are strings

• Values are JSON values

Object

Object

{"name":"Jack B. Nimble","at large": true,"grade":"A","level":3, "format":{"type":"rect","width":1920, "height":1080,"interlace":false, "framerate":24}}

Object{

"name": "Jack B. Nimble", "at large": true, "grade": "A", "format": {

"type": "rect", "width": 1920, "height": 1080, "interlace": false, "framerate": 24

}}

Array

• Arrays are ordered sequences of values

• Arrays are wrapped in []• , separates values

• JSON does not talk about indexing.

An implementation can start array indexing at 0 or 1.

Array

Array["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"]

[[0, -1, 0],[1, 0, 0],[0, 0, 1]

]

Arrays vs Objects

• Use objects when the key names are arbitrary strings.

• Use arrays when the key names are sequential integers.

• Don't get confused by the term Associative Array.

MIME Media Type

application/json

Character Encoding

• Strictly UNICODE.

• Default: UTF-8.

• UTF-16 and UTF-32 are allowed.

Versionless

• JSON has no version number.

• No revisions to the JSON grammar are anticipated.

• JSON is very stable.

Rules

• A JSON decoder must accept all well-formed JSON text.

• A JSON decoder may also accept non-JSON text.

• A JSON encoder must only produce well-formed JSON text.

• Be conservative in what you do, be liberal in what you accept from others.

JSON is the x in Ajax

Last year, it was smart to use JSON. This year, it is

acceptable.

XML is technologically terrible, but you have to

use it anyway.

Aaron Crane, 2002-05-14

IT’S NOT EVEN XML! ...Who did this travesty?

Let’s find a tree and string them up. Now.

Dave Winer, 2006-12-20

if you want to serialize a data structure that’s not too text-heavy and all you want is for the receiver to get the same data structure with

minimal effort, and you trust the other end to get the i18n right,

JSON is hunky-dory.

Tim Bray, 2006-12-21

any damn fool could produce a better data

format than XML.

James Clark, 2007-04-06

JSON Looks Like Data• JSON's simple values are the same as used in

programming languages.

• No restructuring is required: JSON's structures look like conventional programming language structures.

• JSON's object is record, struct, object, dictionary, hash, associate array...

• JSON's array is array, vector, sequence, list...

RUNOFF.SK 1Text processing and word processing systemstypically require additional information tobe interspersed among the natural text ofthe document being processed. This addedinformation, called "markup", serves twopurposes:.TB 4.OF 4.SK 11.#Separating the logical elements of thedocument; and.OF 4.SK 12.#Specifying the processing functions to beperformed on those elements..OF 0.SK 1

GML:h1.Chapter 1: Introduction:p.GML supported hierarchical containers, such as:ol:li.Ordered lists (like this one),:li.Unordered lists, and:li.Definition lists:eol.as well as simple structures.:p.Markup minimization (later generalized and formalized in SGML),allowed the end-tags to be omitted for the "h1" and "p" elements.

:eol.

::ol.

</ol>

Scribe@Quote(Any damn fool)

( ) [ ] { } < > " " ' '

@Begin(Section)...@End(Section)

Scribe@techreport(PUB, key="Tesler", author="Tesler, Larry", title="PUB: The Document Compiler", institution="Stanford University Artificial Intelligence Project", year=1972, number="ON-72", month="Sep")

@book(Volume3, key="Knuth", author="Knuth, Donald E.", title="Sorting and Searching", publisher="Addison-Wesley",year=1973, series="The Art of Computer Programming", volume=3,address="Reading, Mass.")

JSON is Safe and effective when used

correctly.Like everything else, dangerous when used

recklessly.

Script Tag Hack

• Scripts (strangely) are exempt from Sam Origin Policy.

• A dynamic script tag can make a GET request from a server.

receiver(jsontext);

• Extremely dangerous. It is impossible to assure that the server did not send an evil script.

eval

• JSON text is JavaScript, so evalcan turn it into data structures.

• Fast, convenient.myData =

eval('(' + jsontext + ')');

• Dangerous. If the text is not actually JSON, an evil script can execute.

parseJSON

• Use the string.parseJSON method.

myData = jsontext.parseJSON();

• Evil script will cause a syntax error exception.

• Available now: http://www.json.org/json.js

ECMAScript Fourth Ed.

• New Methods:Object.prototype.toJSONStringString.prototype.parseJSON

• Available now: JSON.org/json.js

Server accepts GET requests with cookies

• Data leakage. A rouge page can send a request to your server that will include your cookies.

• There are holes in browsers that deliver data regardless of Same Origin Policy.

• Require POST. Require explicit tokens of authority.

Don't wrap JSON text in comments

• Intended to close a browser hole./* jsontext */

• May open a new hole."*/ evil(); /*"

• Security is not obtained by tricks.

• Never put data on the wire unless you intend that it be delivered. Do not rely on Same Origin Policy.

JSONRequest

• A new facility.

• Two way data interchange between any page and any server.

• Exempt from the Same Origin Policy.

• Campaign to make a standard feature of all browsers.

JSONRequestfunction done(requestNr, value, exception) {

...}var request =

JSONRequest.post(url, data, done);var request =

JSONRequest.get(url, done);

• No messing with headers.• No cookies. • No implied authentication.

JSONRequest• Requests are transmitted in order.• Requests can have timeouts.• Requests can be cancelled.• Connections are in addition to the

browser's ordinary two connections per host.

• Support for asynchronous, full duplex connections.

JSONRequest

• Tell your favorite browser maker

I want JSONRequest!

http://www.JSON.org/JSONRequest.html

www.JSON.org