On Thu, Dec 8, 2011 at 12:24 PM, Brian Tingle
<[log in to unmask]> wrote:
> most sense for what you are trying to do. And for things that work that
> way now, I don't see a need to rush and change it all to JSONP callbacks
> because of some vague security concern.
My comment wasn't security-related. Also, I wasn't talking about
cross-domain JSONP. Obviously, you need to trust the producer there.
That said, I do buy the security argument that HTML is much harder to
verify for absence of, for instance, XSS vulnerabilities. At least
that's what can be inferred from the high frequency with which they're
occurring. Reducing the number of times (specifically places in the
code) where one generates and transmits it could certainly help here.
- Godmar
|