[Geoserver-devel] JSONP disabled by default?

Why is JSONP disabled by default?

Security/CSRF concerns? As JSONP is an outputformat, I do not see how enabling it provides any greater risk of CSRF than JSON output. Perhaps someone more familiar could shed some light.

Kind regards,

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

On Mon, Nov 4, 2013 at 4:34 AM, Ben Caradoc-Davies <
Ben.Caradoc-Davies@anonymised.com> wrote:

Why is JSONP disabled by default?

Security/CSRF concerns? As JSONP is an outputformat, I do not see how
enabling it provides any greater risk of CSRF than JSON output. Perhaps
someone more familiar could shed some light.

Ben,
if you search in the archives I believe there was a discussion between
Carlo and
Tim about it

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On 04/11/13 14:52, Andrea Aime wrote:

On Mon, Nov 4, 2013 at 4:34 AM, Ben Caradoc-Davies
<Ben.Caradoc-Davies@anonymised.com <mailto:Ben.Caradoc-Davies@anonymised.com>> wrote:
    Why is JSONP disabled by default?
    Security/CSRF concerns? As JSONP is an outputformat, I do not see how
    enabling it provides any greater risk of CSRF than JSON output. Perhaps
    someone more familiar could shed some light.
Ben,
if you search in the archives I believe there was a discussion between
Carlo and
Tim about it

Thanks, Andrea, I found it. Tim gives a hypothetical example of data stealing using CSRF:
http://osgeo-org.1560.x6.nabble.com/GSIP-79-Json-support-and-WFS-and-WMS-ExceptionHandler-s-tp4999973p5000874.html

Carlo then disabled JSONP by default.

Kind regards,

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre