dns2utf8
commented
7 years ago Security: Must not enable jsonp
Closed dbrgn closed 5 years ago
dns2utf8
commented
7 years ago Security: Must not enable jsonp
dbrgn
commented
7 years ago @dns2utf8 What exactly do you mean with that?
dns2utf8
commented
7 years ago A JSONp endpoint has some security problems
dbrgn
commented
7 years ago Well yes, if you use JSONP to load a SpaceAPI endpoint, then that endpoint can inject code into your page. But that's the whole point of using JSONP :)
~In any case, can one even prevent the use of the JSONP technique as server operator?~
Since most (all?) endpoints don't implement JSONP (and since it's not necessary with CORS headers), I don't think we need to add any rule for this.
gidsi
commented
5 years ago Added by #30
API endpoints should return a HTTP200 status code. Furthermore, they should set the
Access-Control-Allow-Origin: *header.