couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Chris Anderson <>
Subject Re: jsonp vs json for view
Date Wed, 25 Aug 2010 16:05:10 GMT

On Aug 25, 2010, at 4:06 AM, Nils Breunese wrote:

> Wout Mertens wrote:
>> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>>> J Chris Anderson wrote:
>>>> You also  need to activate JSONP in the configuration. It's off by default
because it is insecure.
>>> What exactly is insecure about having JSONP enabled?
>> I'm guessing that JSONP "feels" insecure.

with JSONP on by default, anyone can write mashups leaking information from couchdb to code
on another site. it's not anything you couldn't read directly with curl or by browsing to
the couchdb, but you could potentially use it to make an attackers site look customized by
listing the users personal information from a well-known couchdb document.

>> The excellent exploit prevention course from Google mentions it as something to avoid:
>> "There's a variation of JSON called JSONP which you should avoid using because it
allows script injection by design."
>> –, under the last "Exploit and Fix" section.
> I guess there is no risk for CouchDB itself, right? All CouchDB is doing is wrapping
the resulting output with "foo(" and ");". It's the caller that needs to handle the response
properly. CouchDB 0.10.1 doesn't have the JSONP setting yet and has it enabled by default,
so I can't disable it anyway at the moment. :o)
> Nils.
> De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor
gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging,
verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde.
De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden
e-mail, noch voor tijdige ontvangst daarvan.

View raw message