Merge pull request #87 from github/fix-shiny-memes

gjtorikian · gjtorikian · commit 8d06fec93765 · 2014-01-31T22:03:36.000-08:00
Update JSONP docs to mention protection against hijacking
diff --git a/content/v3.md b/content/v3.md
@@ -517,7 +517,7 @@ plus the relevant HTTP Header information.
 <pre class="terminal">
 $ curl https://api.github.com?callback=foo
 
-foo({
+/**/foo({
   "meta": {
     "status": 200,
     "X-RateLimit-Limit": "5000",
@@ -533,14 +533,30 @@ foo({
 })
 </pre>
 
-You can write a JavaScript handler to process the callback like this:
+You can write a JavaScript handler to process the callback. Here's a minimal example you can try out:
 
-<pre><code class="language-javascript">function foo(response) {
+<pre><code class="language-html">&lt;html>
+&lt;head>
+&lt;script type="text/javascript">
+function foo(response) {
   var meta = response.meta
   var data = response.data
   console.log(meta)
   console.log(data)
-}</code></pre>
+}
+
+var script = document.createElement('script');
+script.src = 'https://api.github.com?callback=foo'
+
+document.getElementsByTagName('head')[0].appendChild(script);
+&lt;/script>
+&lt;/head>
+
+&lt;body>
+&lt;p>Open up your browser's console.&lt;/p>
+&lt;/body>
+
+&lt;/html></code></pre>
 
 All of the headers are the same String value as the HTTP Headers with one
 notable exception: Link.  Link headers are pre-parsed for you and come
