JSONP…you’re joking, right?
I understand people are hard up for their mashups, but this is crazy. Someone has decided it would be a good idea to give a name to a browser security exploit in the name of wider adoption. JSON with Padding (JSONP) is essentially a way of working around the cross domain security policies enforced by your web browser. Those security policies are in place to ensure that malicious code can’t report your private data to third parties and to prevent third parties from messing with your data on other web sites.
The problem is, there’s a hole in the security model. Using <script> tags, you can can work around the policies to execute code from another web site. That code is, in turn, free to do whatever it wants to do on your behalf on the website you’re currently browsing. Imagine, for instance, you’re browsing eBay. Now imagine that eBay includes a bit of JavaScript from one of their seller’s web sites like this:
<script src=”http://reallynastyhackers.com/ownyou.js”></script>
Oh sure, the seller says it’s just so they can do a little metrics gathering. Unbeknownst to you, the JavaScript ends up using your account to submit glowing feedback on the seller. Or maybe it submits a password reset request, locking you out of your account. Who knows, the point is, you just executed code from someone you don’t know. You probably did it without even knowing it happened. It’s like the days of Word macro viruses.
The point is, these JSONP loons are hitchiking a ride on a security flaw in the browsers. I’d guess (hope might be more accurate) it won’t be long before the browser developers put in a fix, at which point all of your JSONP code will cease to work. I do think there needs to be an easy way to let page scripts talk to multiple hosts, but I think this is the wrong way of doing it. There has to be some form of protection added to ensure that arbitrary code from the other hosts isn’t executed within the page.
January 5th, 2006 at 5:19 pm
It’s not a security flaw. It’s in there by design and it’s not going anywhere. It’d kill adwords, among other things.
By the point you’re browsing a web page, you’re trusting the content provider and browser to do no harm. Script tags with remote hosts only end up in that page if the content provider puts it there and *rusts the remote host.
If you come up with a “solution” that allows for safe exchange of data, you’re providing for another use case… namely, exchanging data with an untrusted remote host. That’s certainly a valid use case, but it’s a different one that JSONP doesn’t claim to solve.
Note that even with a safe wire protocol, nothing stops the content provider from using eval() to run code from untrusted hosts, or to simply HTTP proxy to untrusted hosts — it’s up to the content provider. You’ve already trusted them and nothing can stop them from extending that trust to another party if they choose to.