But Michael, please excuse my ignorance. I'm curious. I have to ask because I still do not see this "JSONP XSS loophole."
Isn't this flickr example you showed below is selft containing with the same site I/O? Where is the cross-site logic? Do you have a link to some official or 'proposal' or draft specification on JSONP? -- HLS On Aug 13, 7:35 pm, "Michael Geary" <[EMAIL PROTECTED]> wrote: > No, you can load *scripts* cross-site with no problem. > > It's true, a server-side proxy is the only way to do a cross-site Ajax > download. But if the information is available in any kind of executable > JavaScript format, you can use a script tag or a dynamic script element to > download it. > > That's what the JSONP (JSON with callback) format is all about - wrap a JSON > object inside a callback function whose name is given in the request URL. > Here's an example: > > http://www.flickr.com/services/feeds/photos_public.gne?format=json > <http://www.flickr.com/services/feeds/photos_public.gne?format=json&js... > back=fotofeed> &jsoncallback=fotofeed > > That URL returns: > > fotofeed({ > "title": "Everyone's photos", > "link": "http://www.flickr.com/photos/";, > // more stuff here, including an array of photo links and info > > }) > > If you create either a script tag or a dynamic script element with that URL > in the src, it will call your "fotofeed" function (or any function you name > in the jsoncallback= URL parameter) and pass it the JSON data. > > It doesn't have to be JSON data, of course - the script tag can execute any > JavaScript code (which can be good or bad - obviously you need to trust the > data provider). JSONP is just a common convention for downloading JSON data > cross-domain. > > If you want to make sure that no rogue JavaScript code is executed, or if > the data isn't available in JSONP or a similar executable script format, > then you do need to Ajax and a server-side proxy. > > -Mike > > _____ > > From: Matt Stith > > The only way around is to use a server-side script as a proxy, as loading > scripts cross-site is a security risk, which is why browsers block that out. > > From: Anthony Leboeuf(Worcester Wide Web) > > I am working on a website for the BBB and need to load a document cross > site, I am getting a permission denied message when doing so. Is there a > way around that?
