Bridging JSON Performance and Security

The development of JavaScript is partly based on the adoption of various data formats in order to push the boundaries for faster transaction. Among the data formats created, none of them could match the JSON in its ability to speed up transactions in JavaScript.

The reason for this feature is very simple: JSON was specifically created to adapt to JavaScript. Every function and command in JavaScript can be interpreted by JSON. This means developers do not have to worry about data compatibility. Although it will not assure browser compatibility, the fact that JSON works well with JavaScript makes it an ideal data format.

But the performance in JSON comes with a price. Even though JSON can improve the processes in an Ajax or JavaScript based application, it's underlying process is very alarming to most developers. One of the reasons why JSON can easily work with various JavaScript and Ajax based commands is that it will use eval() in every chance it gets.

Through eval(), the application is actually opened up to a lot of security holes especially on data processing. Attacks could be directed in this function and the data that passes through eval() can be accessed.

Increasing security in JSON is possible but it will sacrifice performance in JavaScript. To increase security in JavaScript, developers will have to use text based parser for JavaScript. This will give developers more control on how to implement JSON especially on the behavior of the function eval().

But the performance of JavaScript will be significantly affected. JavaScript engine will have a hard time reading JSON on text and will take additional resources to read JSON being parsed in this format. The required resources of the engine will make the online application render the application slower.

Choosing between security and speed of an online application is very difficult for developers especially if they are building online applications for business purposes. If the developers choose security then their application will not work as expected.

On the other hand, performance will only endanger users as their information can be easily accessed. The middle way is also dangerous because an average performance and an average security will only endanger users without giving them an optimized version of the application.

Fortunately, an answer to the problto JSON is slowly being pushed by ECMAScript. Instead of working with the JavaScript engine, the browser will help in implementing JSON. Some of the functions of JSON will be implemented not from the engine but from the browser. This will aid developers in concentrating on various JSON functions while allowing browsers to secure the data. The specific function that will be adapted by browsers will be JSON parser.

In short, browser based parsers for JSON can be implemented. Developers will just have to inform the browsers about their parsing responsibility and the rest will be taken cared of by the specific browser. This feature for JSON is already available in three major browsers: IE8, Chrome and Firefox 3.5. Hopefully more browsers will follow to increase security in JavaScript or an Ajax based application.