Is JSONP safe to use?

Question

Are there any security issues that should be considered when using JSONP?

Answer 1

Yes, you need to be careful, but when used properly with trusted services it's relatively safe.

Here's a summary of the security issues with JSONP, as I understand it:

From the consumer's perspective:

• You must trust the provider to not return malicious JavaScript instead of the expected JSON wrapped in the JSONP callback you specify.
• The same is also true of any third party JavaScript embedded add-ons, such as Google Analytics.
• It's only similar to XSS attacks in that it allows a 3rd party to execute arbitrary JavaScript in your application, however, you must first choose to trust that 3rd party by making the request in the first place.

From the provider's perspective:

• You must not assume that even though the clients' cookie(s) are present in the request that the consumer is a webpage under your control. Check the Referer header against a whitelist of authorized URLs, and/or don't rely on cookie-based authentication.
• Analogous to a CSRF / confused deputy attack.