For visualization:
To bypass this issue and reduce the opportunity for accidental exposure of vulnerabilites, you have to change the response type of requests for this scenario. In jQuery 1.2, JSONP support was introduced. Jsonp, or JSON with Padding, is a a way to wrap json responses in callback manner, and remove client side get requests allowing only posts.
example source |
Changing something like this: {"Id" : 4, "Name" : "Matt Linder"}
to this:
callback({"Id" : 4, "Name" : "Matt Linder"});
I have implemented a default callback on the originating server, with the option to specify a custom consumer script for the callback, which seems to work well.
Post a Comment