Docs for getJSON() should specify under what conditions it is secure

[davidwagner]

The documentation for getJSON() should mention the conditions under which it causes a XSS vulnerability, and describe what developers need to do to avoid introducing XSS when using getJSON().

In particular, $.getJSON(untrusted_url, function(...) {...}) is unsafe, if untrusted_url comes from an untrusted source (e.g., from the attacker, from another user). If the attacker controls evil.com, the attacker can arrange for untrusted_url to hold something like http://evil.com/callback=? and then arrange for evil.com to respond to that request with malicious Javascript. JQuery's JSONP auto-detection will then eval the Javascript found in the response to that request, making the $.getJSON() call a XSS vulnerability.

This is a foot-gun. It's not clear from the documentation for getJSON() that it can introduce this kind of vulnerability when part or all of the URL can be controlled by the attacker. Documenting this more clearly would help developers avoid inadvertent XSS vulnerabilities in their code.

[Is the following still true? I have not verified it, and it might no longer be the only safe way.] Apparently if the URL might be partially or completely under attacker control, the only safe way to fetch JSON from that URL is to use $.ajax(url, {dataType: 'json', jsonp: false});. This fact is not apparent from the documentation -- it should be described in the documentation more clearly.

See http://stackoverflow.com/q/29022794/ for details.

Re-filed from jquery/jquery#2173, as that was the wrong place to file it. See also #755 and #732; this could be combined with those two. Probably it suffices to have one issue to cover these, but I thought I'd record the full details and justification so there's a description of them.

[arthurvr]

Thanks for reporting this, @davidwagner.

Let's close #755 in favor of this one and just add a note to all Ajax methods.

[AurelioDeRosa]

Is this issue still relevant? If so, is the description provided by the OP a good base for a PR? // cc @timmywil @dmethvin

[dmethvin]

This seems out of the scope of the API docs. The docs already specify that jsonp: false disable the use of JSONP. If the requesting site doesn't trust evil.com it should not be getting anything from it--script or JSON.

That said, if anyone has a short message we can add we could consider it. The $.ajax docs are already long and tedious to read though, so any addition may just get lost in the existing text. Lacking more specifics I'll close this.

[AurelioDeRosa]

What about adding "If you don't trust the target of your Ajax requests, consider setting the jsonp property to false for security reasons"?

[dmethvin]

That's nice and short, if you can find a place to put it.

[AurelioDeRosa]

Perhaps close to the jsonp setting?

[dmethvin]

Sure, works for me.

[AurelioDeRosa]

Closed via e98feb7.