Is JSONP safe to use?
Are there any security issues that should be considered when using JSONP?
security json jsonp
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
add a comment |
Are there any security issues that should be considered when using JSONP?
security json jsonp
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
the site is truly a secure site..i just want to know that whether any security problem with the cookie stored by my server.
– dits59
Mar 5 '09 at 9:06
The link below by naugtur gives a nice solution and an insightful explanation of how it could be broken and how the solution works. Please do take a look.
– minghua
Jul 19 '13 at 19:09
1
related question for fixing the issues: Is it possible to make a secure JSONP request?
– Bergi
Jul 3 '14 at 11:23
Is it a problem that whatever data is being submitted appears as query parameters on a GET request and therefore likely be logged, etc?
– WW.
May 13 '15 at 2:51
add a comment |
Are there any security issues that should be considered when using JSONP?
security json jsonp
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
Are there any security issues that should be considered when using JSONP?
security json jsonp
security json jsonp
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
edited Oct 26 '15 at 20:59
therealrootuser
4,09441939
4,09441939
asked Mar 5 '09 at 8:24
dits59
the site is truly a secure site..i just want to know that whether any security problem with the cookie stored by my server.
– dits59
Mar 5 '09 at 9:06
The link below by naugtur gives a nice solution and an insightful explanation of how it could be broken and how the solution works. Please do take a look.
– minghua
Jul 19 '13 at 19:09
1
related question for fixing the issues: Is it possible to make a secure JSONP request?
– Bergi
Jul 3 '14 at 11:23
Is it a problem that whatever data is being submitted appears as query parameters on a GET request and therefore likely be logged, etc?
– WW.
May 13 '15 at 2:51
add a comment |
the site is truly a secure site..i just want to know that whether any security problem with the cookie stored by my server.
– dits59
Mar 5 '09 at 9:06
The link below by naugtur gives a nice solution and an insightful explanation of how it could be broken and how the solution works. Please do take a look.
– minghua
Jul 19 '13 at 19:09
1
related question for fixing the issues: Is it possible to make a secure JSONP request?
– Bergi
Jul 3 '14 at 11:23
Is it a problem that whatever data is being submitted appears as query parameters on a GET request and therefore likely be logged, etc?
– WW.
May 13 '15 at 2:51
the site is truly a secure site..i just want to know that whether any security problem with the cookie stored by my server.
– dits59
Mar 5 '09 at 9:06
the site is truly a secure site..i just want to know that whether any security problem with the cookie stored by my server.
– dits59
Mar 5 '09 at 9:06
The link below by naugtur gives a nice solution and an insightful explanation of how it could be broken and how the solution works. Please do take a look.
– minghua
Jul 19 '13 at 19:09
The link below by naugtur gives a nice solution and an insightful explanation of how it could be broken and how the solution works. Please do take a look.
– minghua
Jul 19 '13 at 19:09
1
1
related question for fixing the issues: Is it possible to make a secure JSONP request?
– Bergi
Jul 3 '14 at 11:23
related question for fixing the issues: Is it possible to make a secure JSONP request?
– Bergi
Jul 3 '14 at 11:23
Is it a problem that whatever data is being submitted appears as query parameters on a GET request and therefore likely be logged, etc?
– WW.
May 13 '15 at 2:51
Is it a problem that whatever data is being submitted appears as query parameters on a GET request and therefore likely be logged, etc?
– WW.
May 13 '15 at 2:51
add a comment |
4 Answers
4
active
oldest
votes
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See http://enable-cors.org/ for more info.
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
Imagine this senario:
- A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts.
- Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: http://erlend.oftedal.no/blog/?blogid=130
answered Mar 5 '09 at 8:46
gregers
8,23873739
2
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
add a comment |
Yes, you need to be careful, but when used properly with trusted services it's relatively safe.
Here's a summary of the security issues with JSONP, as I understand it:
From the consumer's perspective:
- You must trust the provider to not return malicious JavaScript instead of the expected JSON wrapped in the JSONP callback you specify.
- The same is also true of any third party JavaScript embedded add-ons, such as Google Analytics.
- It's only similar to XSS attacks in that it allows a 3rd party to execute arbitrary JavaScript in your application, however, you must first choose to trust that 3rd party by making the request in the first place.
From the provider's perspective:
- You must not assume that even though the clients' cookie(s) are present in the request that the consumer is a webpage under your control. Check the Referer header against a whitelist of authorized URLs, and/or don't rely on cookie-based authentication.
- Analogous to a CSRF / confused deputy attack.
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
add a comment |
There are security issues for both sides. The most serious one is for the site including JSONP.
If you are including a from another domain (which you do not control), that domain can change up the script at any time. They can make the javascript do anything in the context of your webpage, that your own javascript could do. There is no way around this if you use JSONP. You should look into cross-domain communication using iframes, which is best done by the excellent EasyDXM library.
If you are offering a webservice that handles JSONP, you have to protect from Cross-Site Request Forgery (CSRF). This is where your webservice returns sensitive information to logged-in users. If a user has logged into your site, any other site can generate a GET request to the JSONP service, and YOUR domain's cookies are submitted with the request -- in essence, authenticating the logged-in user -- except that now, the remote domain gets the response and is able to read the sensitive data!
The best way to protect against CSRF is to generate a nonce (a hard-to-guess, randomly generated number) and store it in the session. Output this nonce in all your forms on YOUR webpages, and include it in all JSONP requests on YOUR pages. On the server, make sure that the nonce is present and correct in the request (whether it be a GET, POST, etc.) Other domains will be unable to guess this nonce, and thus unable to get the sensitive information, despite the cookies being sent.
Finally, there is another sort of security issue: JSONP simply does not support user authentication in the browser, of the kind that is possible with OAuth. You can, of course, have the server get some kind of access token (like with OAuth) and use that. However, if you want to do authentication entirely in the browser, you have to use cross-domain communication with iFrames. I think this is how OAuth 2.0 does it. Here's how you set it up: pages hosted on your site have full access to your server. Have a javascript library which loads EasyDXM and uses it to set up a hidden iframe to your site, and talk to it using that.
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
add a comment |
JSONP is definitely not safe, as it's simply running whatever it gets cross-domain as JavaScript.
solution! solution!
Create an iframe, preferably a sandboxed one, and load JSONP there. Catch the result and pass it up via window.postMessage
And yes, somebody got this idea first, as usual :)
The blog post is no longer there, but I'm keeping the link here for credit:
http://beebole.com/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
edit: wayback machine link
It used the window.name hack for iframe communication, but that was for IE6 and 7.
edited Nov 20 at 21:38
albert
7,25033356
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
link not valid anymore..
– abe312
Apr 12 at 14:22
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f613962%2fis-jsonp-safe-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See http://enable-cors.org/ for more info.
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
Imagine this senario:
- A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts.
- Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: http://erlend.oftedal.no/blog/?blogid=130
answered Mar 5 '09 at 8:46
gregers
8,23873739
2
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
add a comment |
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See http://enable-cors.org/ for more info.
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
Imagine this senario:
- A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts.
- Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: http://erlend.oftedal.no/blog/?blogid=130
answered Mar 5 '09 at 8:46
gregers
8,23873739
2
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
add a comment |
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See http://enable-cors.org/ for more info.
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
Imagine this senario:
- A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts.
- Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: http://erlend.oftedal.no/blog/?blogid=130
answered Mar 5 '09 at 8:46
gregers
8,23873739
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See http://enable-cors.org/ for more info.
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
Imagine this senario:
- A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts.
- Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: http://erlend.oftedal.no/blog/?blogid=130
answered Mar 5 '09 at 8:46
gregers
8,23873739
edited Jun 27 '12 at 22:58
answered Mar 5 '09 at 8:46
gregers
8,23873739
answered Mar 5 '09 at 8:46
gregers
8,23873739
answered Mar 5 '09 at 8:46
gregers
8,23873739
8,23873739
2
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
add a comment |
2
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
2
2
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
It's been pointed out elsewhere that HTTP_REFERER can be spoofed with Flash, so any sensitive data a server offers over jsonp is vulnerable.
– Chris Moschini
May 3 '12 at 22:58
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
This is only one side of the risk. The link by naugtur shows the other side of the risk, and better a solution to that part.
– minghua
Jul 19 '13 at 19:10
add a comment |
Yes, you need to be careful, but when used properly with trusted services it's relatively safe.
Here's a summary of the security issues with JSONP, as I understand it:
From the consumer's perspective:
- You must trust the provider to not return malicious JavaScript instead of the expected JSON wrapped in the JSONP callback you specify.
- The same is also true of any third party JavaScript embedded add-ons, such as Google Analytics.
- It's only similar to XSS attacks in that it allows a 3rd party to execute arbitrary JavaScript in your application, however, you must first choose to trust that 3rd party by making the request in the first place.
From the provider's perspective:
- You must not assume that even though the clients' cookie(s) are present in the request that the consumer is a webpage under your control. Check the Referer header against a whitelist of authorized URLs, and/or don't rely on cookie-based authentication.
- Analogous to a CSRF / confused deputy attack.
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
add a comment |
Yes, you need to be careful, but when used properly with trusted services it's relatively safe.
Here's a summary of the security issues with JSONP, as I understand it:
From the consumer's perspective:
- You must trust the provider to not return malicious JavaScript instead of the expected JSON wrapped in the JSONP callback you specify.
- The same is also true of any third party JavaScript embedded add-ons, such as Google Analytics.
- It's only similar to XSS attacks in that it allows a 3rd party to execute arbitrary JavaScript in your application, however, you must first choose to trust that 3rd party by making the request in the first place.
From the provider's perspective:
- You must not assume that even though the clients' cookie(s) are present in the request that the consumer is a webpage under your control. Check the Referer header against a whitelist of authorized URLs, and/or don't rely on cookie-based authentication.
- Analogous to a CSRF / confused deputy attack.
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
add a comment |
Yes, you need to be careful, but when used properly with trusted services it's relatively safe.
Here's a summary of the security issues with JSONP, as I understand it:
From the consumer's perspective:
- You must trust the provider to not return malicious JavaScript instead of the expected JSON wrapped in the JSONP callback you specify.
- The same is also true of any third party JavaScript embedded add-ons, such as Google Analytics.
- It's only similar to XSS attacks in that it allows a 3rd party to execute arbitrary JavaScript in your application, however, you must first choose to trust that 3rd party by making the request in the first place.
From the provider's perspective:
- You must not assume that even though the clients' cookie(s) are present in the request that the consumer is a webpage under your control. Check the Referer header against a whitelist of authorized URLs, and/or don't rely on cookie-based authentication.
- Analogous to a CSRF / confused deputy attack.
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
Yes, you need to be careful, but when used properly with trusted services it's relatively safe.
Here's a summary of the security issues with JSONP, as I understand it:
From the consumer's perspective:
- You must trust the provider to not return malicious JavaScript instead of the expected JSON wrapped in the JSONP callback you specify.
- The same is also true of any third party JavaScript embedded add-ons, such as Google Analytics.
- It's only similar to XSS attacks in that it allows a 3rd party to execute arbitrary JavaScript in your application, however, you must first choose to trust that 3rd party by making the request in the first place.
From the provider's perspective:
- You must not assume that even though the clients' cookie(s) are present in the request that the consumer is a webpage under your control. Check the Referer header against a whitelist of authorized URLs, and/or don't rely on cookie-based authentication.
- Analogous to a CSRF / confused deputy attack.
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
answered Sep 8 '09 at 5:32
tlrobinson
1,4932031
1,4932031
add a comment |
add a comment |
There are security issues for both sides. The most serious one is for the site including JSONP.
If you are including a from another domain (which you do not control), that domain can change up the script at any time. They can make the javascript do anything in the context of your webpage, that your own javascript could do. There is no way around this if you use JSONP. You should look into cross-domain communication using iframes, which is best done by the excellent EasyDXM library.
If you are offering a webservice that handles JSONP, you have to protect from Cross-Site Request Forgery (CSRF). This is where your webservice returns sensitive information to logged-in users. If a user has logged into your site, any other site can generate a GET request to the JSONP service, and YOUR domain's cookies are submitted with the request -- in essence, authenticating the logged-in user -- except that now, the remote domain gets the response and is able to read the sensitive data!
The best way to protect against CSRF is to generate a nonce (a hard-to-guess, randomly generated number) and store it in the session. Output this nonce in all your forms on YOUR webpages, and include it in all JSONP requests on YOUR pages. On the server, make sure that the nonce is present and correct in the request (whether it be a GET, POST, etc.) Other domains will be unable to guess this nonce, and thus unable to get the sensitive information, despite the cookies being sent.
Finally, there is another sort of security issue: JSONP simply does not support user authentication in the browser, of the kind that is possible with OAuth. You can, of course, have the server get some kind of access token (like with OAuth) and use that. However, if you want to do authentication entirely in the browser, you have to use cross-domain communication with iFrames. I think this is how OAuth 2.0 does it. Here's how you set it up: pages hosted on your site have full access to your server. Have a javascript library which loads EasyDXM and uses it to set up a hidden iframe to your site, and talk to it using that.
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
add a comment |
There are security issues for both sides. The most serious one is for the site including JSONP.
If you are including a from another domain (which you do not control), that domain can change up the script at any time. They can make the javascript do anything in the context of your webpage, that your own javascript could do. There is no way around this if you use JSONP. You should look into cross-domain communication using iframes, which is best done by the excellent EasyDXM library.
If you are offering a webservice that handles JSONP, you have to protect from Cross-Site Request Forgery (CSRF). This is where your webservice returns sensitive information to logged-in users. If a user has logged into your site, any other site can generate a GET request to the JSONP service, and YOUR domain's cookies are submitted with the request -- in essence, authenticating the logged-in user -- except that now, the remote domain gets the response and is able to read the sensitive data!
The best way to protect against CSRF is to generate a nonce (a hard-to-guess, randomly generated number) and store it in the session. Output this nonce in all your forms on YOUR webpages, and include it in all JSONP requests on YOUR pages. On the server, make sure that the nonce is present and correct in the request (whether it be a GET, POST, etc.) Other domains will be unable to guess this nonce, and thus unable to get the sensitive information, despite the cookies being sent.
Finally, there is another sort of security issue: JSONP simply does not support user authentication in the browser, of the kind that is possible with OAuth. You can, of course, have the server get some kind of access token (like with OAuth) and use that. However, if you want to do authentication entirely in the browser, you have to use cross-domain communication with iFrames. I think this is how OAuth 2.0 does it. Here's how you set it up: pages hosted on your site have full access to your server. Have a javascript library which loads EasyDXM and uses it to set up a hidden iframe to your site, and talk to it using that.
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
add a comment |
There are security issues for both sides. The most serious one is for the site including JSONP.
If you are including a from another domain (which you do not control), that domain can change up the script at any time. They can make the javascript do anything in the context of your webpage, that your own javascript could do. There is no way around this if you use JSONP. You should look into cross-domain communication using iframes, which is best done by the excellent EasyDXM library.
If you are offering a webservice that handles JSONP, you have to protect from Cross-Site Request Forgery (CSRF). This is where your webservice returns sensitive information to logged-in users. If a user has logged into your site, any other site can generate a GET request to the JSONP service, and YOUR domain's cookies are submitted with the request -- in essence, authenticating the logged-in user -- except that now, the remote domain gets the response and is able to read the sensitive data!
The best way to protect against CSRF is to generate a nonce (a hard-to-guess, randomly generated number) and store it in the session. Output this nonce in all your forms on YOUR webpages, and include it in all JSONP requests on YOUR pages. On the server, make sure that the nonce is present and correct in the request (whether it be a GET, POST, etc.) Other domains will be unable to guess this nonce, and thus unable to get the sensitive information, despite the cookies being sent.
Finally, there is another sort of security issue: JSONP simply does not support user authentication in the browser, of the kind that is possible with OAuth. You can, of course, have the server get some kind of access token (like with OAuth) and use that. However, if you want to do authentication entirely in the browser, you have to use cross-domain communication with iFrames. I think this is how OAuth 2.0 does it. Here's how you set it up: pages hosted on your site have full access to your server. Have a javascript library which loads EasyDXM and uses it to set up a hidden iframe to your site, and talk to it using that.
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
There are security issues for both sides. The most serious one is for the site including JSONP.
If you are including a from another domain (which you do not control), that domain can change up the script at any time. They can make the javascript do anything in the context of your webpage, that your own javascript could do. There is no way around this if you use JSONP. You should look into cross-domain communication using iframes, which is best done by the excellent EasyDXM library.
If you are offering a webservice that handles JSONP, you have to protect from Cross-Site Request Forgery (CSRF). This is where your webservice returns sensitive information to logged-in users. If a user has logged into your site, any other site can generate a GET request to the JSONP service, and YOUR domain's cookies are submitted with the request -- in essence, authenticating the logged-in user -- except that now, the remote domain gets the response and is able to read the sensitive data!
The best way to protect against CSRF is to generate a nonce (a hard-to-guess, randomly generated number) and store it in the session. Output this nonce in all your forms on YOUR webpages, and include it in all JSONP requests on YOUR pages. On the server, make sure that the nonce is present and correct in the request (whether it be a GET, POST, etc.) Other domains will be unable to guess this nonce, and thus unable to get the sensitive information, despite the cookies being sent.
Finally, there is another sort of security issue: JSONP simply does not support user authentication in the browser, of the kind that is possible with OAuth. You can, of course, have the server get some kind of access token (like with OAuth) and use that. However, if you want to do authentication entirely in the browser, you have to use cross-domain communication with iFrames. I think this is how OAuth 2.0 does it. Here's how you set it up: pages hosted on your site have full access to your server. Have a javascript library which loads EasyDXM and uses it to set up a hidden iframe to your site, and talk to it using that.
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
answered Mar 27 '11 at 3:28
Gregory Magarshak
6681222
6681222
add a comment |
add a comment |
JSONP is definitely not safe, as it's simply running whatever it gets cross-domain as JavaScript.
solution! solution!
Create an iframe, preferably a sandboxed one, and load JSONP there. Catch the result and pass it up via window.postMessage
And yes, somebody got this idea first, as usual :)
The blog post is no longer there, but I'm keeping the link here for credit:
http://beebole.com/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
edit: wayback machine link
It used the window.name hack for iframe communication, but that was for IE6 and 7.
edited Nov 20 at 21:38
albert
7,25033356
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
link not valid anymore..
– abe312
Apr 12 at 14:22
add a comment |
JSONP is definitely not safe, as it's simply running whatever it gets cross-domain as JavaScript.
solution! solution!
Create an iframe, preferably a sandboxed one, and load JSONP there. Catch the result and pass it up via window.postMessage
And yes, somebody got this idea first, as usual :)
The blog post is no longer there, but I'm keeping the link here for credit:
http://beebole.com/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
edit: wayback machine link
It used the window.name hack for iframe communication, but that was for IE6 and 7.
edited Nov 20 at 21:38
albert
7,25033356
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
link not valid anymore..
– abe312
Apr 12 at 14:22
add a comment |
JSONP is definitely not safe, as it's simply running whatever it gets cross-domain as JavaScript.
solution! solution!
Create an iframe, preferably a sandboxed one, and load JSONP there. Catch the result and pass it up via window.postMessage
And yes, somebody got this idea first, as usual :)
The blog post is no longer there, but I'm keeping the link here for credit:
http://beebole.com/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
edit: wayback machine link
It used the window.name hack for iframe communication, but that was for IE6 and 7.
edited Nov 20 at 21:38
albert
7,25033356
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
JSONP is definitely not safe, as it's simply running whatever it gets cross-domain as JavaScript.
solution! solution!
Create an iframe, preferably a sandboxed one, and load JSONP there. Catch the result and pass it up via window.postMessage
And yes, somebody got this idea first, as usual :)
The blog post is no longer there, but I'm keeping the link here for credit:
http://beebole.com/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
edit: wayback machine link
It used the window.name hack for iframe communication, but that was for IE6 and 7.
edited Nov 20 at 21:38
albert
7,25033356
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
edited Nov 20 at 21:38
albert
7,25033356
edited Nov 20 at 21:38
albert
7,25033356
edited Nov 20 at 21:38
albert
7,25033356
7,25033356
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
answered Jun 16 '11 at 12:23
naugtur
15.1k559103
15.1k559103
link not valid anymore..
– abe312
Apr 12 at 14:22
add a comment |
link not valid anymore..
– abe312
Apr 12 at 14:22
link not valid anymore..
– abe312
Apr 12 at 14:22
link not valid anymore..
– abe312
Apr 12 at 14:22
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f613962%2fis-jsonp-safe-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
the site is truly a secure site..i just want to know that whether any security problem with the cookie stored by my server.
– dits59
Mar 5 '09 at 9:06
The link below by naugtur gives a nice solution and an insightful explanation of how it could be broken and how the solution works. Please do take a look.
– minghua
Jul 19 '13 at 19:09
1
related question for fixing the issues: Is it possible to make a secure JSONP request?
– Bergi
Jul 3 '14 at 11:23
Is it a problem that whatever data is being submitted appears as query parameters on a GET request and therefore likely be logged, etc?
– WW.
May 13 '15 at 2:51