incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wout Mertens <>
Subject Re: jsonp vs json for view
Date Wed, 25 Aug 2010 10:35:29 GMT
On Aug 25, 2010, at 9:44 , Nils Breunese wrote:

> J Chris Anderson wrote:
>> You also  need to activate JSONP in the configuration. It's off by default because
it is insecure.
> What exactly is insecure about having JSONP enabled?

I'm guessing that JSONP "feels" insecure.

The excellent exploit prevention course from Google mentions it as something to avoid:

"There's a variation of JSON called JSONP which you should avoid using because it allows script
injection by design."
–, under the last "Exploit and Fix" section.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message