JSONP enabled by default
Problem
why the hell is JSONP enabled by default?? that's VERY unsecure if a developer doesn't know about it and leaves it open: JSONP enables cross-origin requests, meaning your server is giving your content away to any other server! this can even lead to sensitive user data disclosure to third parties when used in conjunction with XSS. please, set the default JSONP setting to disabled as soon as possible: default Express servers must NOT accept any callback parameter by default, callback parameters must be explicitly examined by the developer on a per-request basis. thank you.
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Solution: JSONP enabled by default
sorry, I probably need to better clarify what I'm talking about. here: http://expressjs.com/api.html#app-settings I can read: "jsonp callback Enables jsonp callback support, enabled by default" which, to the best of my knowledge, is very wrong. thanks again!
Trust Score
1 verification
- 1
sorry, I probably need to better clarify what I'm talking about.
sorry, I probably need to better clarify what I'm talking about.
- 2
here: http://expressjs.com/api.html#app-settings
here: http://expressjs.com/api.html#app-settings
- 3
I can read: "jsonp callback Enables jsonp callback support, enabled by default"
which, to the best of my knowledge, is very wrong.
Validation
Resolved in expressjs/express GitHub issue #1304. Community reactions: 0 upvotes.
Verification Summary
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep