JSONP doesn’t work with localhost

by Jon Davis 1. August 2009 23:06

I discovered something today that had me stumped for days. JSONP doesn’t work on localhost! All the JSONP samples I found made perfect sense and executed perfectly from the web sites’ demos that explained them, but I simply could not execute the same JSONP implementations locally so long as I was using localhost. (Note that localhost is forcibly used by Visual Studio 2008 users who wish to use the built-in web server.)

And it makes sense why it does not work, I shared this problem and a workaround here:

http://stackoverflow.com/questions/1217926/jsonp-callback-doesnt-execute-when-running-at-localhost

Basically, JSONP is itself a security vulnerability, and if the browsers didn’t block localhost from JSONP execution then all the web clients out there would be vulnerable to HTTP attacks. However, the browsers’ security constraints stop there, there’s still a vulnerability where “localhost.” (with a trailing '.') is suddenly exposed. Microsoft and Mozilla need to patch this!!

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Add comment


(Will show your Gravatar icon)  

  Country flag

biuquote
  • Comment
  • Preview
Loading




 

Powered by BlogEngine.NET 1.4.5.0
Theme by Mads Kristensen

About the author

Jon Davis (aka "stimpy77") has been a programmer, developer, and consultant for web and Windows software solutions professionally since 1997, with experience ranging from OS and hardware support to DHTML programming to IIS/ASP web apps to Java network programming to Visual Basic applications to C# desktop apps.
 
Software in all forms is also his sole hobby, whether playing PC games or tinkering with programming them. "I was playing Defender on the Commodore 64," he reminisces, "when I decided at the age of 12 or so that I want to be a computer programmer when I grow up."

Jon was previously employed as a senior .NET developer at a very well-known Internet services company whom you're more likely than not to have directly done business with. However, this blog and all of jondavis.net have no affiliation with, and are not representative of, his former employer in any way.

Contact Me 


Tag cloud

Calendar

<<  August 2020  >>
MoTuWeThFrSaSu
272829303112
3456789
10111213141516
17181920212223
24252627282930
31123456

View posts in large calendar

RecentPosts