As of July 8th, we now validate JSONP callbacks and prefix them with /**/. All callbacks must match the regex [a-zA-Z_$][\w$]*(\.[a-zA-Z_$][\w$]*)*, or simply they must contain only alphanumeric characters, underscores, dollar signs and periods.
For everyone using JSONP callbacks that match this regex in a javascript environment, this shouldn’t affect you at all.
This change was made in response to a security vulnerability. For more on the vulnerability, please read http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
1 Like
This topic is now pinned. It will appear at the top of its category until it is either unpinned by a moderator, or the Clear Pin button is pressed.
Hello!
Why the callback param doesn’t work for access_token method anymore?
For example, the command
http://api.twitch.tv/api/channels/channel/access_token
returnes the valid response for stream called channel, but the commend
http://api.twitch.tv/api/channels/channel/access_token?callback=foo
returns foo({“error”:“Bad Request”,“status”:400,“message”:“Bad Request”}), although it worked earlier