The JSONP callback method should be validated to ensure it is actually a JS method name (identifier). See http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
Validate that JSONP callback method is a JS identifier
the connection negotiate request with jsonp callback return 403 e.g. signalr/negotiate?callback=jQuery1640904470823616872_1359671098514&_=1359671098586
the connection negotiate request with jsonp callback return 403 is different issue, not related to this
@DamianEdwards , in _jsKeywords, for "hrow", do you mean "throw"?
@Xiaohongt that's not an issue you need to EnableCrossDomain for JSONP to work.