Roan Kattouw wrote:
<snip> If your backend wasn't already relying on JSON output, you could've requested XML output instead and that would've worked just fine without any security issues. Running stuff through IEContentAnalyzer just so we can put a wrong MIME type on it (text/plain is not appropriate for JSON, should be either application/json or text/javascript) is a bad idea. I see you've already removed the text/plain option, so it's now back to using text/javascript for callbacks and application/json instead.
I agree. IEContentAnalyzer is over the top especially since the escaped white-spaced json content plays nice with eval so there is no reason to make things more complicated. Just have to remember not to change the <pre> tag for jsonfm output ;)
--michael