Why is JSONP disabled by default?
Security/CSRF concerns? As JSONP is an outputformat, I do not see how enabling it provides any greater risk of CSRF than JSON output. Perhaps someone more familiar could shed some light.
Kind regards,
--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre
On Mon, Nov 4, 2013 at 4:34 AM, Ben Caradoc-Davies <
Ben.Caradoc-Davies@anonymised.com> wrote:
Why is JSONP disabled by default?
Security/CSRF concerns? As JSONP is an outputformat, I do not see how
enabling it provides any greater risk of CSRF than JSON output. Perhaps
someone more familiar could shed some light.
Ben,
if you search in the archives I believe there was a discussion between
Carlo and
Tim about it
Cheers
Andrea
--
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
On 04/11/13 14:52, Andrea Aime wrote:
On Mon, Nov 4, 2013 at 4:34 AM, Ben Caradoc-Davies
<Ben.Caradoc-Davies@anonymised.com <mailto:Ben.Caradoc-Davies@anonymised.com>> wrote:
Why is JSONP disabled by default?
Security/CSRF concerns? As JSONP is an outputformat, I do not see how
enabling it provides any greater risk of CSRF than JSON output. Perhaps
someone more familiar could shed some light.
Ben,
if you search in the archives I believe there was a discussion between
Carlo and
Tim about it
Thanks, Andrea, I found it. Tim gives a hypothetical example of data stealing using CSRF:
http://osgeo-org.1560.x6.nabble.com/GSIP-79-Json-support-and-WFS-and-WMS-ExceptionHandler-s-tp4999973p5000874.html
Carlo then disabled JSONP by default.
Kind regards,
--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre