I have a secured website that requires a user to authenticate, and would like to return sensitive data to the client from my API via JSON-P so that I can get around ajax cross-domain issues. I own both the client and server, so I am not concerned about the security from the client perspective (i.e. reading malicious js from the server).

I have been researching ways to secure the JSON-P to prevent Cross-Site Request Forgery, but haven’t been able to clearly determine whether checking the Referer is a foolproof method for securing the data. As I understand it, the Referer header cannot be spoofed in this situation because the calls would be from javascript, and Headers cannot be changed. Is this a correct assumption?

I would like some clear-cut examples of why or why not checking the Referer would/wouldn’t work to secure JSON-P.

Thanks!

EDIT:

Just to clarify – the JSON-P is secured via Spring Security, so it wouldn’t only be secured by the Referer header. I am mostly concerned here about session hijacking…