Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
allow periods in jsonp callback function name #455
rmccue responded with "Interesting; it was actually intentional to leave out . (not _) to avoid the possibility of side effects, but I guess I'm OK with adding it." but nothing has been added yet, at least I couldn't find a branch with the changes.
I am currently using WP-API with an Angular frontend, and I needed to make this fix, so I thought I would contribute it back as well.
added a commit
this pull request
Aug 31, 2014
Aug 31, 2014
1 check passed
FWIW, I'm still curious about potential security concerns here. Giving access to
cc @mdawaffe for any thoughts
https://news.ycombinator.com/item?id=809815 has a pretty nice summary of why we have the existing restrictions on JSONP callbacks here.
Really what we're doing if we allow
Being strict is a nice thing for us to have, since it reduces the attack surface significantly. For example, the Reflected File Download exploit is made much harder to use, since you can't use any control characters. I'd prefer us to be as strict as possible, but also don't want to ruin the developer experience unnecessarily.
That said, it doesn't look like Angular is going to change. As noted on angular/angular.js#1551, Angular is treating this as a problem with the server code for not allowing it. (caitp is the 7th most active committer on the project, and a member of the organisation)
Hey guys, we are using the API extensively for our app builder, Reactor. We really need the "." supported for jsonp in Angular so we can make cross domain data requests. I understand your security concerns, but Angular is pretty widely used, and I think supporting it is a necessity.
I think the
(Out of country at the moment. Very limited internet.)
On Sunday, November 9, 2014, Ryan McCue email@example.com wrote: