disabling JSONP from controllers and from expressjs by default #213
Conversation
…nfiguration, allowing users to enable if they need to
|
What does JSONP do that will indicate that there is a global user variable? |
|
@ilanbiala I don't understand your question at all. |
|
Basically it looks good to me, but the patch to express/config.js may be somewhat confusing because people would think commenting out the line enable JSONP in all controllers. Actually they need to replace res.json to res.jsonp to use JSONP. |
|
Of course it's not just about commenting it out but also actually sending the responses a JSONP. |
|
@ilanbiala you're incorrectly using terms and this just causes confusion. Neither JSON nor JSONP makes anything 'global'. You're right in thinking that if the response is just JSON then the user data is being returned, as should be, it's an API after all (this is what I assume you mean by 'global'). With that said, JSONP responses makes it possible for websites not under your control to call the that API by embedding a script tag and passing the returned JSON from the API to the website's control which can further be manipulated by callback functions available on the requesting website's. This bypasses the same origin policy which browsers block by default. That's my 2 cents on the matter if the issue is still not clear, please google up JSONP and security issues related to it. |
|
So why have it enabled in the first place? |
|
@ilanbiala your questions aren't really leading anywhere... are they? :) |
|
We're removing JSONP guys, it was a bad idea in the first place. |
… be enabled for JSONP to be globally enabled which isnt true
|
I updated the PR with removing express's JSONP commented code entirely as @snakamura suggested. |
disabling JSONP from controllers and from expressjs by default
|
I see no problem here. Merging. |
disabling JSONP from controllers and commenting out from expressjs configuration, allowing users to enable if they need to
closes issue #208