JSON server now allows for JSON/P callback
bbttxu - October 7, 2009 - 17:37
| Project: | JSON server |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Description
Patch file allows wrapping of JSON in a callback function, making it true JSON/P server
#1
#2
I'm not opposed to the change, but I don't
think this functionality should be enabled by default.
What would you say to having this be:
a) off by default with an admin option to turn it on
Admins that know they want this on will turn it on and understand what
they are getting themselves into. If the admin wants to be malicious,
they have to jump through one more hoop before unleashing a plague on
the users of their service.
b) more validation of the value of the callback parameter
Not that it really really really matters since the requester is
obviously in control of the page already, but what if they formed their
request like this:
var hello = function(data,response) {
console.log(data);console.log(response) };
$.get('http://example.com/something.php',
{'id':18,'callback':'alert("I like cheese");hello'}, null, 'jsonp' );
c) allow the admin to specify what the name of the expected parameter is
when a client sends a request with a 'callback' (with a default name of
callback).
This is kind of sort of security through obfuscation where the client
would need to know the name of the param to make a successful jsonp
request (instead of just being able to guess that passing
'callback':'somefunction' works, the would need to know that
'custom-method-name':'somefunction' is what they need to do).
#3
..subscribing
#4
has anyone had luck getting this to work? Not having much luck here. Not sure if i am missing anything. Would you happen to have a simple example calling system.connect? Using json_server 6.x-1.x-dev w/ the latest Services 6.x-0.15
Thanks for any help on this
Alex
#5
Just updating the status on this- the existing patch does not address everything in #2
#6
@andremolnar
I disagree. I don't believe you understand how JSONP works. There is no security problem by letting the client define the callback. In fact, that's what JSONP is all about. And this is how it's done by everybody, including Yahoo, etc.
The modification is quite simple, actually, and a client can consume pure JSON simply by not setting the callback. Please see the modifications here:
http://drupal.org/node/624898
#7
@nickvidal
I think maybe you misread my comments.
The client obviously needs to define the callback function name. I was saying the server admin should have the option of saying what the name of the expected parameter is for the server to respond.
The name 'callback' is a sensible default
$.get('http://example.com/something.php', {'id':18,'callback':'hello'}, null, 'jsonp' );
But lets say the site admin only wants to send back a JSONp respone to the word 'foo' and not the word 'callback'. The above call wouldn't work, but the one below would.
$.get('http://example.com/something.php', {'id':18,'foo':'hello'}, null, 'jsonp' );
I'm just saying that we add that administrative option to the module. Was hoping someone would roll a patch with that.
andre
#8
That would make things just more confusing. Indeed I misread your comment because I didn't even think that someone would suggest this. The 'method' and 'callback' are pretty standard names. That solves issue (c).
As for issue (a), again: the client can consume pure JSON simply by not setting the callback.
As for issue (b), it really doesn't matter...
Please look at the simple changes to the json_server.module attached.