Issue #232 new

Security: Disable JSONP Support By Default

Neal Poole
created an issue

JSONEmitter supports wrapping its output in a JS callback function. This is a technique known as JSONP (http://en.wikipedia.org/wiki/JSONP) which allows a third-party website to access the data returned by the API. Unfortunately that means if an API ever returns information based on the user's current session, that information can then be accessed by a third-party website. There is currently no way for an application to disable this behavior without writing its own emitter. This behavior is a security risk and should be disabled by default.

JSONP support has previously been disabled in django-tastypie due to similar concerns (https://github.com/toastdriven/django-tastypie/commit/76c4f1522cc92900268fbbabac287fc52cb01830). It might make sense to take a similar approach here:

  1. Separate the JSONP and JSON functionality into two distinct emitters.
  2. Do not register the JSONP emitter by default: applications can "opt in" to it if they'd like to expose that functionality.

Comments (0)

  1. Log in to comment