Hacker News new | ask | show | jobs
by simonw 4363 days ago
I don't think you can use JSONP for XSS. The JavaScript does to execute on the domain that hosts the JS, it executes in the context of the page that loaded the code using a script tag. Allowing attacker-controlled script tags is definitely an XSS hole.
1 comments
eli 4363 days ago
The linked article demonstrates even just allowing attacker-controlled function name can allow an XSS hole!
link
simonw 4363 days ago
That's due to an extremely complex (albeit easy to exploit) SWF reflection attack.

JSONP itself, though yucky, should still be safe from XSS given a /-star-star-/ prefix and a validated callback parameter.

link
spacemanmatt 4363 days ago
> given a /-star-star-/ prefix and a validated callback parameter.

I think that is the "waiting to happen" part of my initial comment.

link