jsonp vs json for view

[wh...@aol.com]

 If I wanted to get a view I could do this

localhost:5984/mydatabase/_view/myview 
and that would return some json

What would I do if I wanted it to return jsonp?
or if that question doesn't make sense.
How do I return a view as jsonp?

Thanks,

Dan

 

Re: jsonp vs json for view

[Jason Smith <jh...@couch.io>]

On Wed, Aug 25, 2010 at 18:06, Nils Breunese <N....@vpro.nl> wrote:
> I guess there is no risk for CouchDB itself, right?

I think the idea was simply to make it harder for developers to
inadvertently do something dangerous.

However nothing stops a _show or _list function from taking the normal
CouchDB output and adding the 'P' around it. One presumes that a
developer has thought through the implications if that developer took
the time to write a _show or _list.

-- 
Jason Smith
Couchio Hosting

Re: jsonp vs json for view

[Damien Katz <da...@apache.org>]

On Aug 25, 2010, at 9:05 AM, J Chris Anderson wrote:

> 
> On Aug 25, 2010, at 4:06 AM, Nils Breunese wrote:
> 
>> Wout Mertens wrote:
>> 
>>> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>>> 
>>>> J Chris Anderson wrote:
>>>> 
>>>>> You also  need to activate JSONP in the configuration. It's off by default because it is insecure.
>>>> 
>>>> What exactly is insecure about having JSONP enabled?
>>> 
>>> I'm guessing that JSONP "feels" insecure.
> 
> with JSONP on by default, anyone can write mashups leaking information from couchdb to code on another site. it's not anything you couldn't read directly with curl or by browsing to the couchdb, but you could potentially use it to make an attackers site look customized by listing the users personal information from a well-known couchdb document.

Also, for a read-secured database with a user or admin logged in, JSONP makes it possible to steal private data on hostile webpages. Using JSONP, hostile webpages can make GET calls to the CouchDB database with the user's logged-in credentials and load the otherwise secured information to the users browser and then send it back to the hostile server.

-Damien

> 
>>> 
>>> The excellent exploit prevention course from Google mentions it as something to avoid:
>>> 
>>> "There's a variation of JSON called JSONP which you should avoid using because it allows script injection by design."
>>> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section.
>> 
>> I guess there is no risk for CouchDB itself, right? All CouchDB is doing is wrapping the resulting output with "foo(" and ");". It's the caller that needs to handle the response properly. CouchDB 0.10.1 doesn't have the JSONP setting yet and has it enabled by default, so I can't disable it anyway at the moment. :o)
>> 
>> Nils.
>> 
>> De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.
> 

Re: jsonp vs json for view

[J Chris Anderson <jc...@apache.org>]

On Aug 25, 2010, at 4:06 AM, Nils Breunese wrote:

> Wout Mertens wrote:
> 
>> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>> 
>>> J Chris Anderson wrote:
>>> 
>>>> You also  need to activate JSONP in the configuration. It's off by default because it is insecure.
>>> 
>>> What exactly is insecure about having JSONP enabled?
>> 
>> I'm guessing that JSONP "feels" insecure.

with JSONP on by default, anyone can write mashups leaking information from couchdb to code on another site. it's not anything you couldn't read directly with curl or by browsing to the couchdb, but you could potentially use it to make an attackers site look customized by listing the users personal information from a well-known couchdb document.

>> 
>> The excellent exploit prevention course from Google mentions it as something to avoid:
>> 
>> "There's a variation of JSON called JSONP which you should avoid using because it allows script injection by design."
>> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section.
> 
> I guess there is no risk for CouchDB itself, right? All CouchDB is doing is wrapping the resulting output with "foo(" and ");". It's the caller that needs to handle the response properly. CouchDB 0.10.1 doesn't have the JSONP setting yet and has it enabled by default, so I can't disable it anyway at the moment. :o)
> 
> Nils.
> 
> De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.

Re: jsonp vs json for view

[Nils Breunese <N....@vpro.nl>]

Wout Mertens wrote:

> On Aug 25, 2010, at 9:44 , Nils Breunese wrote:
>
>> J Chris Anderson wrote:
>>
>>> You also  need to activate JSONP in the configuration. It's off by default because it is insecure.
>>
>> What exactly is insecure about having JSONP enabled?
>
> I'm guessing that JSONP "feels" insecure.
>
> The excellent exploit prevention course from Google mentions it as something to avoid:
>
> "There's a variation of JSON called JSONP which you should avoid using because it allows script injection by design."
> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section.

I guess there is no risk for CouchDB itself, right? All CouchDB is doing is wrapping the resulting output with "foo(" and ");". It's the caller that needs to handle the response properly. CouchDB 0.10.1 doesn't have the JSONP setting yet and has it enabled by default, so I can't disable it anyway at the moment. :o)

Nils.

De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.

Re: jsonp vs json for view

[Wout Mertens <wo...@gmail.com>]

On Aug 25, 2010, at 9:44 , Nils Breunese wrote:

> J Chris Anderson wrote:
> 
>> You also  need to activate JSONP in the configuration. It's off by default because it is insecure.
> 
> What exactly is insecure about having JSONP enabled?

I'm guessing that JSONP "feels" insecure.

The excellent exploit prevention course from Google mentions it as something to avoid:

"There's a variation of JSON called JSONP which you should avoid using because it allows script injection by design."
– http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" section.

Wout.

Re: jsonp vs json for view

[Nils Breunese <N....@vpro.nl>]

J Chris Anderson wrote:

> You also  need to activate JSONP in the configuration. It's off by default because it is insecure.

What exactly is insecure about having JSONP enabled?

Nils.

De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.

Re: jsonp vs json for view

[J Chris Anderson <jc...@apache.org>]

On Aug 24, 2010, at 2:35 AM, Nils Breunese wrote:

> Dan wrote:
> 
>> If I wanted to get a view I could do this
>> 
>> localhost:5984/mydatabase/_view/myview
>> and that would return some json
>> 
>> What would I do if I wanted it to return jsonp?
>> or if that question doesn't make sense.
>> How do I return a view as jsonp?
> 
> Add the callback parameter to the URL and specify a name for the JSONP callback function:
> 
> http://example.com:5984/mydatabase/_design/myddoc/_view/myview?callback=foo
> 
> If you use jQuery, you can let jQuery generate a callback function name by using a question mark as the callback function name.
> 

You also  need to activate JSONP in the configuration. It's off by default because it is insecure.

> Nils.
> 
> P.S. It seems neither the wiki nor the Definitive Guide mention JSONP?
> 
> De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.

Re: jsonp vs json for view

[Nils Breunese <N....@vpro.nl>]

Dan wrote:

> If I wanted to get a view I could do this
>
> localhost:5984/mydatabase/_view/myview
> and that would return some json
>
> What would I do if I wanted it to return jsonp?
> or if that question doesn't make sense.
> How do I return a view as jsonp?

Add the callback parameter to the URL and specify a name for the JSONP callback function:

http://example.com:5984/mydatabase/_design/myddoc/_view/myview?callback=foo

If you use jQuery, you can let jQuery generate a callback function name by using a question mark as the callback function name.

Nils.

P.S. It seems neither the wiki nor the Definitive Guide mention JSONP?

De informatie vervat in deze  e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.