prepend jsonp callbacks with a comment to prevent the rosetta-flash vulnerability by patrickkettner · Pull Request #1766 · hapijs/hapi (original) (raw)
tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.
Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is how google, facebook, github, et al are handeling it.