Closed mrroach9 closed 12 years ago
thinxer
commented
12 years ago We cannot add JSONP support for now. Without careful design, it would lead to security vulnerabilities.
After you have logged in, any site could get your information using jsonp. We need other methods to prevent this from happening.
I'm not sure if current design is vulnerable to CSRF attacks. We should disable cross-site requests for the moment.
HenryHu
commented
12 years ago We are not using cookies, so are there still security problems?
thinxer
commented
12 years ago Oh I forgot that we were not using cookies. I think we can allow jsonp, then.
mrroach9
commented
12 years ago Hooray! So can either of you add this recently? Thanks so much!
HenryHu
commented
12 years ago OK, let's do it. Now nearly all the results are returned by svc.writedata(), so it should be easy to implement this.
HenryHu
commented
12 years ago This is implemented. jsonp=function and jsoncallback=function both work. Initial CORS support is also implemented. That's a modern alternative to jsonp.
mrroach9
commented
12 years ago It works perfectly well. Thanks so much!
The current pybbs interface will simply ignore jsoncallback arg, this will make cross-domain ajax request using jQuery invalid.