incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Damien Katz <dam...@apache.org>
Subject Re: jsonp vs json for view
Date Wed, 25 Aug 2010 17:23:57 GMT

On Aug 25, 2010, at 9:05 AM, J Chris Anderson wrote:

> 
> On Aug 25, 2010, at 4:06 AM, Nils Breunese wrote:
> 
>> Wout Mertens wrote:
>> 
>>> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>>> 
>>>> J Chris Anderson wrote:
>>>> 
>>>>> You also  need to activate JSONP in the configuration. It's off by default
because it is insecure.
>>>> 
>>>> What exactly is insecure about having JSONP enabled?
>>> 
>>> I'm guessing that JSONP "feels" insecure.
> 
> with JSONP on by default, anyone can write mashups leaking information from couchdb to
code on another site. it's not anything you couldn't read directly with curl or by browsing
to the couchdb, but you could potentially use it to make an attackers site look customized
by listing the users personal information from a well-known couchdb document.

Also, for a read-secured database with a user or admin logged in, JSONP makes it possible
to steal private data on hostile webpages. Using JSONP, hostile webpages can make GET calls
to the CouchDB database with the user's logged-in credentials and load the otherwise secured
information to the users browser and then send it back to the hostile server.

-Damien

> 
>>> 
>>> The excellent exploit prevention course from Google mentions it as something
to avoid:
>>> 
>>> "There's a variation of JSON called JSONP which you should avoid using because
it allows script injection by design."
>>> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix"
section.
>> 
>> I guess there is no risk for CouchDB itself, right? All CouchDB is doing is wrapping
the resulting output with "foo(" and ");". It's the caller that needs to handle the response
properly. CouchDB 0.10.1 doesn't have the JSONP setting yet and has it enabled by default,
so I can't disable it anyway at the moment. :o)
>> 
>> Nils.
>> 
>> De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld
voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking,
vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden
aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud
van een verzonden e-mail, noch voor tijdige ontvangst daarvan.
> 


Mime
View raw message