On Tue, Jun 17, 2008 at 3:25 PM, Ian Bicking <[EMAIL PROTECTED]> wrote: > > Shannon -jj Behrens wrote: >> On Tue, Jun 17, 2008 at 2:55 PM, Ian Bicking <[EMAIL PROTECTED]> wrote: >>> Shannon -jj Behrens wrote: >>>> I'm using the jsonify decorator. It'd be nice if that decorator were >>>> updated to *automatically* support the jsonp parameter >>>> <http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/>. >>>> Hence, if I request a URL like >>>> <http://localhost:5000/api/service?jsonp=foo>, and jsonify is used, it >>>> should automatically wrap the JSON in foo(). >>> Isn't JSONP a security concern if you aren't exposing something intended >>> to be public? That is, you can use JSONP to read data using the >>> browser's credentials, which is sometimes okay and sometimes not. So >>> optionally turning it on is nice, but always turning it on is dangerous. >> >> I can't comment on that. My service is a public service. Perhaps you >> can explain what you mean in more detail. Bob talks about security a >> bit on his blog post: >> http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/. > > Let's say I have a JSON method that returns your list of friends. > That's private, and the method is restricted based on authentication. > But any random website could include this: > > <script > src="http://somesocialnetwork.org/api/friends?jsonp=readFriends";></script> > > and then it would be able to read your private list of friends if you > had logged into somesocialnetwork.org. > > Simply requiring people to explicitly turn on jsonp support, with a > warning that only public data should be exposed that way, would address > that issue.
Good point. So you're saying that if you don't use jsonp, then when the attacker causes the victim to view a script tag that pulls stuff down via JSON, since there's no function to "receive" the JSON, it gets pulled down, but immediately disappears, right? What a strange defense mechanism. XSRF is a pain, eh? I'm okay with needing to turn on jsonp support. If there were a jsonp flag for the jsonify decorator, then you could enable it in as few places as possible. Best Regards, -jj -- I, for one, welcome our new Facebook overlords! http://jjinux.blogspot.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
