Joe Walker worries about Operator Overloading in Javascript. Though I’m not sure I see an immediate attack, I think Joe is worried about the right thing: since cross-domain execution is dependent on whether the file is well-formed according to the Javascript language, and since the Javascript language is changing over time, we’ve got a real problem.
This is related to the argument I was making a few days ago about the unwitting servers. It needs to be pretty darn clear when a web server is enabling cross-domain requests. We can’t expect all web app owners to keep track of the changes in the Javascript language and make sure they’re not accidentally outputting a valid Javascript program. We need a more reliable method for allowing/disallowing cross-site access, e.g. explicit HTTP headers that enable cross-domain access in very specific cases, such as MIME type or Access-Control.
The MIME type restriction should begin ASAP: the browser will execute a third-party script only if it is delivered with the right Javascript MIME-type. Since the major uses of cross-site Javascript execution, statistics tracking and such, are run by big knowledgeable web site owners, e.g. Google, such a restriction should be easy to enforce as long as it’s announced a few months ahead of time. Deliver all your Javascript with the right MIME type. Any data delivered with a different MIME type, even if it looks like Javascript, will not be executed. (I believe this idea is Doug Crockford’s, who proposed it for JSONRequest.)