On Tue, Jun 17, 2008 at 3:21 PM, Shannon -jj Behrens <[EMAIL PROTECTED]> wrote: > On Tue, Jun 17, 2008 at 2:55 PM, Ian Bicking <[EMAIL PROTECTED]> wrote: >> Shannon -jj Behrens wrote: >>> I'm using the jsonify decorator. It'd be nice if that decorator were >>> updated to *automatically* support the jsonp parameter >>> <http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/>. >>> Hence, if I request a URL like >>> <http://localhost:5000/api/service?jsonp=foo>, and jsonify is used, it >>> should automatically wrap the JSON in foo(). >> >> Isn't JSONP a security concern if you aren't exposing something intended >> to be public? That is, you can use JSONP to read data using the >> browser's credentials, which is sometimes okay and sometimes not. So >> optionally turning it on is nice, but always turning it on is dangerous. > > I can't comment on that. My service is a public service. Perhaps you > can explain what you mean in more detail. Bob talks about security a > bit on his blog post: > http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/.
The JavaScript does have to *trust* the remote server. Of course, if it doesn't, it shouldn't be using script tags to pull stuff from that remote server. -jj -- I, for one, welcome our new Facebook overlords! http://jjinux.blogspot.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
