Hacker News new | past | comments | ask | show | jobs | submit login

What were the implications of knowing the _callback parameter?



You could invoke pipes from any webpage without worrying about cross-domain access.

If you look at some janky JS code[1] I had on my website at the time, you can see what you can do with it.

That would basically source

://pipes.yahoo.com/pipes/pipe.run?_id=7CTRtbtL3BGX_AHbjknRlg&_render=json&_callback=load_daily_show

as a static asset in my page, which would load the JS and call load_daily_show(<json>) as a result.

Now, EVERYONE who hits my page is invoking the pipe as a backend API call, with no caching and unfortunately with the entire Y/T cookies intact.

[1] - https://web.archive.org/web/20081007043923/http://t3.dotgnu....


Yeah I remember using it as a CORS proxy, it allowed me to put together a full client side music app (tracks source was not very legal) but tags, similar tracks/artists etc were pulled from lastfm and allowed to quickly build a decent playlist.


At that point in history APIs that returned a JSON object wrapped in a callback were few and far between (and Yahoo! had almost all of them). Pipes would give you anything you wanted in a callback, allowing for nothing-but-front-end mashups of anything that would hold still while being scraped.

Craigslist banned Pipes and un-banned it after YDN employee Jeremy Zawodny went to work there:

https://techcrunch.com/2009/12/01/craigslist-yahoo-pipes-fli... https://techcrunch.com/2009/12/16/craigslist-yahoo-pipes/




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: