It's not very proper comparison. Nobody uses JSOPN w/o *a reason*. Autocomplete, as maximum. And security concern of jSONP is way more known than RJS bug (did you see articles on this topic but mine?)
>Maybe we should improve the documentation to point out that you should not be using cookies to authenticate "private" JSONP/JS endpoints IMO, it should be fixed somewhere in code, not in documentation. People don't read it periodically. Not using cookies for JS responses breaks the idea of templating. For API people should use JSON(P). Why JS? On Saturday, November 30, 2013 7:43:51 AM UTC+7, Godfrey Chan wrote: > > Right, I agree that if used incorrectly this be a vector for CSRF attacks. > But like you said, this is also a problem for JSONP, which is by far way > more popular. So unless we also remove JSONP there problem you are > complaining is still there, no? > > Maybe we should improve the documentation to point out that you should not > be using cookies to authenticate "private" JSONP/JS endpoints? Perhaps we > can make it easier to do token-based authentication for API requests? > > Because personally I don't see JSONP going away. > > Godfrey > > > On Fri, Nov 29, 2013 at 2:55 AM, Egor Homakov <[email protected]<javascript:> > > wrote: > >> Focus on security concern. I repeat - any GET accessible .js.erb IS a >> vulnerability because leaks all data it has inside. >> All "i use it because it's fast/convenient" means nothing if it's a >> vulnerable technique. IMO >> >> >> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote: >> >>> https://github.com/rails/rails/issues/12374#issuecomment-29446761 >>> >>> Here in discussion I proposed to deprecate JS responder because this >>> technique is insecure and not pragmatic way to transfer data. >>> It can be exploited in this way http://homakov.blogspot. >>> com/2013/05/do-not-use-rjs-like-techniques.html >>> >>> i find this bug very often so i know what i'm talking about. With it >>> attacker can steal user data and authenticity_token if templates with form >>> were leaked too. >>> >>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to >> [email protected]<javascript:> >> . >> Visit this group at http://groups.google.com/group/rubyonrails-core. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
