Wout Mertens wrote:
> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>
>> J Chris Anderson wrote:
>>
>>> You also need to activate JSONP in the configuration. It's off by default
>>> because it is insecure.
>>
>> What exactly is insecure about having JSONP enabled?
>
> I'm guessing that JSONP "feels" insecure.
>
> The excellent exploit prevention course from Google mentions it as something
> to avoid:
>
> "There's a variation of JSON called JSONP which you should avoid using
> because it allows script injection by design."
> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix"
> section.
I guess there is no risk for CouchDB itself, right? All CouchDB is doing is
wrapping the resulting output with "foo(" and ");". It's the caller that needs
to handle the response properly. CouchDB 0.10.1 doesn't have the JSONP setting
yet and has it enabled by default, so I can't disable it anyway at the moment.
:o)
Nils.
De informatie vervat in deze e-mail en meegezonden bijlagen is uitsluitend
bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie
bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking
van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat
niet in voor de juiste en volledige overbrenging van de inhoud van een
verzonden e-mail, noch voor tijdige ontvangst daarvan.
