On Aug 25, 2010, at 9:44 , Nils Breunese wrote: > J Chris Anderson wrote: > >> You also need to activate JSONP in the configuration. It's off by default >> because it is insecure. > > What exactly is insecure about having JSONP enabled?
I'm guessing that JSONP "feels" insecure. The excellent exploit prevention course from Google mentions it as something to avoid: "There's a variation of JSON called JSONP which you should avoid using because it allows script injection by design." – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section. Wout.
