- My second patch, with whitelisted XPath values and forbidden JSONP.
- Disabling JSONP altogether for REST API (unless explicitly allowed).
- Forbid primitive XPath result sets by default.
- Refuse to serve _crumb=123456 as this could (very hypothetically) be exploited.
(cherry picked from commit f4af9b1a)

Conflicts:

	core/src/main/java/hudson/model/Api.java