JSONP callbacks allow Flash CSRF #356

rmccue opened this Issue Jul 16, 2014 · 0 comments


None yet
1 participant

rmccue commented Jul 16, 2014

Using the API's JSONP support, it's possible to control the first bytes of the response sent to the browser. Combining this with an ASCII-encoded SWF allows arbitrary SWFs to be served from the site, allowing bypassing the same-origin policy built in to browsers.

Props @iandunn.

@rmccue rmccue added the Bug label Jul 16, 2014

@rmccue rmccue added this to the 1.1.1 milestone Jul 17, 2014

@rmccue rmccue self-assigned this Jul 17, 2014

@rmccue rmccue changed the title from Problem with JSONP callbacks to JSONP callbacks allow Flash CSRF Jul 26, 2014

@rmccue rmccue closed this in #369 Jul 26, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment