Here is the JSONP proposal: http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/ Yahoo also uses the same approach (with a different callback parameter): http://developer.yahoo.com/common/json.html And I just released CrossSafe, which lets you securely use JSONP/XSS with callback: http://www.xucia.com/page/CrossSafe Kris
On Aug 13, 11:06 pm, Hector Santos <[EMAIL PROTECTED]> wrote: > But Michael, please excuse my ignorance. I'm curious. I have to ask > because I still do not see this "JSONP XSS loophole." > > Isn't this flickr example you showed below is selft containing with > the same site I/O? Where is the cross-site logic? > > Do you have a link to some official or 'proposal' or draft > specification on JSONP? > > -- > HLS > > On Aug 13, 7:35 pm, "Michael Geary" <[EMAIL PROTECTED]> wrote: > > > > > No, you can load *scripts* cross-site with no problem. > > > It's true, a server-side proxy is the only way to do a cross-site Ajax > > download. But if the information is available in any kind of executable > > JavaScript format, you can use a script tag or a dynamic script element to > > download it. > > > That's what the JSONP (JSON with callback) format is all about - wrap a JSON > > object inside a callback function whose name is given in the request URL. > > Here's an example: > > >http://www.flickr.com/services/feeds/photos_public.gne?format=json > > <http://www.flickr.com/services/feeds/photos_public.gne?format=json&js... > > back=fotofeed> &jsoncallback=fotofeed > > > That URL returns: > > > fotofeed({ > > "title": "Everyone's photos", > > "link": "http://www.flickr.com/photos/", > > // more stuff here, including an array of photo links and info > > > }) > > > If you create either a script tag or a dynamic script element with that URL > > in the src, it will call your "fotofeed" function (or any function you name > > in the jsoncallback= URL parameter) and pass it the JSON data. > > > It doesn't have to be JSON data, of course - the script tag can execute any > > JavaScript code (which can be good or bad - obviously you need to trust the > > data provider). JSONP is just a common convention for downloading JSON data > > cross-domain. > > > If you want to make sure that no rogue JavaScript code is executed, or if > > the data isn't available in JSONP or a similar executable script format, > > then you do need to Ajax and a server-side proxy. > > > -Mike > > > _____ > > > From: Matt Stith > > > The only way around is to use a server-side script as a proxy, as loading > > scripts cross-site is a security risk, which is why browsers block that out. > > > From: Anthony Leboeuf(Worcester Wide Web) > > > I am working on a website for the BBB and need to load a document cross > > site, I am getting apermissiondeniedmessage when doing so. Is there a > > way around that?- Hide quoted text - > > - Show quoted text -