[Sephr]

The mitigation strategy falls short of current best practices.

> if possible use a dedicated sandbox domain.

It's 2014. You don't have to use JSONP and open up your domain to XSS; just use standard and safe XHR with CORS[1]. Every major browser has supported it for years, and for very old browsers that don't support CORS (IE 8), I wrote pmxdr[2] five years ago.

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_con...

[2]: https://github.com/eligrey/pmxdr

[idbehold]

> There is one drawback though--it requires that a pmxdr host endpoint be on the target domain

That's one substantial drawback.

[simonw]

Unfortunately: http://blog.algolia.com/jsonp-still-mandatory/

[jes5199]

this is one of those times where the people using badly configured proxies just need to live with a broken internet rather than drag the rest of us down