Shannon -jj Behrens wrote: > On Tue, Jun 17, 2008 at 2:55 PM, Ian Bicking <[EMAIL PROTECTED]> wrote: >> Shannon -jj Behrens wrote: >>> I'm using the jsonify decorator. It'd be nice if that decorator were >>> updated to *automatically* support the jsonp parameter >>> <http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/>. >>> Hence, if I request a URL like >>> <http://localhost:5000/api/service?jsonp=foo>, and jsonify is used, it >>> should automatically wrap the JSON in foo(). >> Isn't JSONP a security concern if you aren't exposing something intended >> to be public? That is, you can use JSONP to read data using the >> browser's credentials, which is sometimes okay and sometimes not. So >> optionally turning it on is nice, but always turning it on is dangerous. > > I can't comment on that. My service is a public service. Perhaps you > can explain what you mean in more detail. Bob talks about security a > bit on his blog post: > http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/.
Let's say I have a JSON method that returns your list of friends. That's private, and the method is restricted based on authentication. But any random website could include this: <script src="http://somesocialnetwork.org/api/friends?jsonp=readFriends";></script> and then it would be able to read your private list of friends if you had logged into somesocialnetwork.org. Simply requiring people to explicitly turn on jsonp support, with a warning that only public data should be exposed that way, would address that issue. -- Ian Bicking : [EMAIL PROTECTED] : http://blog.ianbicking.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
