I'm aware that JSONP is piss-poor on security when it comes to sources you don't trust. I'm also aware that it's no good in scenarios where the user is requesting sensitive data (get my bank balance, show what phone number is assigned to my profile etc), because it becomes pretty tricky to verify the source of the request.
...but what about verbs that don't require as sensitive of a response, like signing up for a new account, or making a comment in a forum? As far as I can tell the send isn't any less secure than a standard GET or POST request... I've heard a lot of FUD in JSONP articles that basically state you shouldn't use it for anything but your latest twitter feed and maybe a few photos from flickr, as long as you don't care about "the Russian h4x0rs getting their grubby mitts all over them." I've also heard a lot of crap about this being a "bug" that will get "patched", but I honestly don't see how or why anyone would restrict the script tag to a same-origin policy, and it's certainly apples to oranges when comparing it to opening up XMLHttpRequest() to the same domain policy. So...this is largely FUD, yes? There's no inherent difference to <script src *=*""> than GET, yes? I mean....it's inherently a GET anyway, no? --~--~---------~--~----~------------~-------~--~----~ Our Web site: http://www.RefreshAustin.org/ You received this message because you are subscribed to the Google Groups "Refresh Austin" group. [ Posting ] To post to this group, send email to [email protected] Job-related postings should follow http://tr.im/refreshaustinjobspolicy We do not accept job posts from recruiters. [ Unsubscribe ] To unsubscribe from this group, send email to [email protected] [ More Info ] For more options, visit this group at http://groups.google.com/group/Refresh-Austin -~----------~----~----~----~------~----~------~--~---
