couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nils Breunese <N.Breun...@vpro.nl>
Subject Re: jsonp vs json for view
Date Wed, 25 Aug 2010 11:06:55 GMT
Wout Mertens wrote:

> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>
>> J Chris Anderson wrote:
>>
>>> You also  need to activate JSONP in the configuration. It's off by default because
it is insecure.
>>
>> What exactly is insecure about having JSONP enabled?
>
> I'm guessing that JSONP "feels" insecure.
>
> The excellent exploit prevention course from Google mentions it as something to avoid:
>
> "There's a variation of JSON called JSONP which you should avoid using because it allows
script injection by design."
> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section.

I guess there is no risk for CouchDB itself, right? All CouchDB is doing is wrapping the resulting
output with "foo(" and ");". It's the caller that needs to handle the response properly. CouchDB
0.10.1 doesn't have the JSONP setting yet and has it enabled by default, so I can't disable
it anyway at the moment. :o)

Nils.

De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik
door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging,
verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde.
De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden
e-mail, noch voor tijdige ontvangst daarvan.

Mime
View raw message