input/output json objects

[Jeff Lindsay]

So we're going with JSON objects for input data and output data. We also said you can potentially have multiple output objects. As in you can potentially receive this:

{"foo": "output for foo"}

or this:

[{"foo": "output for foo"}, {"foo": "another output for foo"}]

Because of an XSS exploit, you don't want to have an array as the outer structure. So the examples become:

{"foo": "output for foo"}

or this:

{"multiple": [{"foo": "output for foo"}, {"foo": "another output for foo"}]}

You'll notice we have to come up with some kind of key that is then a magic key / reserved word for ease of processing. However, if we wrap all responses in an object, and always use an array, the examples become more consistent and we don't have to worry about reserved words. The examples become more like:

{"output": [{"foo": "output for foo"}]}

or this:

{"output": [{"foo": "output for foo"}, {"foo": "another output for foo"}]}

Then there becomes asymmetry with input and output request. So then maybe it becomes a good idea to make input request bodies look like this:

{"input": {"qux": "input for qux"}}

Since there is always only one input, wrapped it in an array is unnecessary. You could also make the array optional in the output format to make it less verbose, but it's certainly easier to process with it always being the same structure.

Thoughts?

--
Jeff Lindsay
http://progrium.com

[Matthew Hudson]

I agree on both proposed structures for the sake of consistency and conceptual symmetry.

It also makes sense to require the input key to be an array of object(s) since it makes it easier on developers to always expect an array instead of writing code to check.

--
 
 

--

V/R

Matthew Hudson

Website | Blog | Facebook | Google+ | Twitter

[Jeff Lindsay]

By require input key to be an array, do you mean output key?

--
 
 

[Matthew Hudson]

Yes, sorry about that. 

[Tom Robinson]

My understanding of this vulnerability is it's only an issue if you're using cookies for authentication, which I don't think applies to webpipes.

That said, I'm not opposed to having a wrapper object. For error responses the key could be "error" instead of "output" or whatever.

Perhaps the input and output key should be the same? "data" maybe?

-tom

[Jeff Lindsay]

Yeah, you're right it's probably not an issue for us. But it's good practice to do it in case anybody ever does do something cool directly from the browser. 

Definitely agree on the "error" key, that's pretty standard. Not a fan of same key for input and output. Output has a different structure (always an array). Plus it makes it easier to look at it and tell if it's input or output. 

--