JSONP doesn’t work with localhost

by Jon Davis 1. August 2009 23:06

I discovered something today that had me stumped for days. JSONP doesn’t work on localhost! All the JSONP samples I found made perfect sense and executed perfectly from the web sites’ demos that explained them, but I simply could not execute the same JSONP implementations locally so long as I was using localhost. (Note that localhost is forcibly used by Visual Studio 2008 users who wish to use the built-in web server.)

And it makes sense why it does not work, I shared this problem and a workaround here:


Basically, JSONP is itself a security vulnerability, and if the browsers didn’t block localhost from JSONP execution then all the web clients out there would be vulnerable to HTTP attacks. However, the browsers’ security constraints stop there, there’s still a vulnerability where “localhost.” (with a trailing '.') is suddenly exposed. Microsoft and Mozilla need to patch this!!

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5


Add comment

(Will show your Gravatar icon)  

  Country flag

  • Comment
  • Preview


Powered by BlogEngine.NET
Theme by Mads Kristensen

About the author

Jon Davis (aka "stimpy77") has been a programmer, developer, and consultant for web and Windows software solutions professionally since 1997, with experience ranging from OS and hardware support to DHTML programming to IIS/ASP web apps to Java network programming to Visual Basic applications to C# desktop apps.
Software in all forms is also his sole hobby, whether playing PC games or tinkering with programming them. "I was playing Defender on the Commodore 64," he reminisces, "when I decided at the age of 12 or so that I want to be a computer programmer when I grow up."

Jon was previously employed as a senior .NET developer at a very well-known Internet services company whom you're more likely than not to have directly done business with. However, this blog and all of jondavis.net have no affiliation with, and are not representative of, his former employer in any way.

Contact Me 

Tag cloud


<<  June 2021  >>

View posts in large calendar