I’m working on a text classification API that needs to be called from any domain by Javascript. I immediately thought of JSONP, since it’s very easy to inject a foreign script tag and thus make cross-site calls. The problem with JSONP, of course, is that it supports GET only. While in most cases GET is sufficient, sometimes one needs to send more information or do other things that require POST. For my project, the ability to send long strings is very important.
So I’m thinking of a way to perform XSS in the style of JSONP, but with POST support:
- the client POSTs to the server, sending along a UUID and ignoring the response
- the server performs the action and stores the result with the UUID
- the client GETs the response via JSONP using the UUID
- the cached response expires on the server
The need to perform two requests and cache responses is obviously non-optimal, but I could live with it if it’s the only way of safely performing XSS. I might even push out a JSONPOST library…
Update: I’ve given this a try and it actually works reasonably well. With antimatter15‘s help, here’s some code and a demo.