prepend jsonp callbacks with a comment to prevent the rosetta-flash vulnerability by patrickkettner · Pull Request #1766 · hapijs/hapi (original) (raw)

background

tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.

Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is how google, facebook, github, et al are handeling it.

CVE-2014-4671A