[spacemanmatt]

Why is JSONP any less than an XSS exploit waiting to happen?

[simonw]

I don't think you can use JSONP for XSS. The JavaScript does to execute on the domain that hosts the JS, it executes in the context of the page that loaded the code using a script tag. Allowing attacker-controlled script tags is definitely an XSS hole.

[eli]

The linked article demonstrates even just allowing attacker-controlled function name can allow an XSS hole!

[simonw]

That's due to an extremely complex (albeit easy to exploit) SWF reflection attack.

JSONP itself, though yucky, should still be safe from XSS given a /-star-star-/ prefix and a validated callback parameter.

[spacemanmatt]

> given a /-star-star-/ prefix and a validated callback parameter.

I think that is the "waiting to happen" part of my initial comment.

[wmil]

It seems to me that the real problem is that flash has access to browser cookies without following the browser security model.