incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wout Mertens <wout.mert...@gmail.com>
Subject Re: jsonp vs json for view
Date Wed, 25 Aug 2010 10:35:29 GMT
On Aug 25, 2010, at 9:44 , Nils Breunese wrote:

> J Chris Anderson wrote:
> 
>> You also  need to activate JSONP in the configuration. It's off by default because
it is insecure.
> 
> What exactly is insecure about having JSONP enabled?

I'm guessing that JSONP "feels" insecure.

The excellent exploit prevention course from Google mentions it as something to avoid:

"There's a variation of JSON called JSONP which you should avoid using because it allows script
injection by design."
– http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section.

Wout.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message