diff --git a/api-guide/renderers.html b/api-guide/renderers.html
index cb723e6a9..1441b7ba5 100644
--- a/api-guide/renderers.html
+++ b/api-guide/renderers.html
@@ -311,7 +311,10 @@ def user_count_view(request, format=None):
 <h2 id="jsonprenderer">JSONPRenderer</h2>
 <p>Renders the request data into <code>JSONP</code>.  The <code>JSONP</code> media type provides a mechanism of allowing cross-domain AJAX requests, by wrapping a <code>JSON</code> response in a javascript callback.</p>
 <p>The javascript callback function must be set by the client including a <code>callback</code> URL query parameter.  For example <code>http://example.com/api/users?callback=jsonpCallback</code>.  If the callback function is not explicitly set by the client it will default to <code>'callback'</code>.</p>
-<p><strong>Note</strong>: If you require cross-domain AJAX requests, you may want to consider using the more modern approach of <a href="http://www.w3.org/TR/cors/">CORS</a> as an alternative to <code>JSONP</code>.  See the <a href="../topics/ajax-csrf-cors">CORS documentation</a> for more details.</p>
+<hr />
+<p><strong>Warning</strong>: If you require cross-domain AJAX requests, you should almost certainly be using the more modern approach of <a href="http://www.w3.org/TR/cors/">CORS</a> as an alternative to <code>JSONP</code>.  See the <a href="../topics/ajax-csrf-cors">CORS documentation</a> for more details.</p>
+<p>The <code>jsonp</code> approach is essentially a browser hack, and is <a href="http://stackoverflow.com/questions/613962/is-jsonp-safe-to-use">only appropriate for globally  readable API endpoints</a>, where <code>GET</code> requests are unauthenticated and do not require any user permissions.</p>
+<hr />
 <p><strong>.media_type</strong>: <code>application/javascript</code></p>
 <p><strong>.format</strong>: <code>'.jsonp'</code></p>
 <p><strong>.charset</strong>: <code>utf-8</code></p>
diff --git a/api-guide/views.html b/api-guide/views.html
index c8338560e..8dd319fdd 100644
--- a/api-guide/views.html
+++ b/api-guide/views.html
@@ -298,9 +298,9 @@ This method is used to enforce permissions and throttling, and perform content n
 def hello_world(request):
     return Response({"message": "Hello, world!"})
 </code></pre>
-<p>This view will use the default renderers, parsers, authentication classes etc specified in the <a href="api-guide/settings">settings</a>.</p>
+<p>This view will use the default renderers, parsers, authentication classes etc specified in the <a href="settings">settings</a>.</p>
 <h2 id="api-policy-decorators">API policy decorators</h2>
-<p>To override the default settings, REST framework provides a set of additional decorators which can be added to your views.  These must come <em>after</em> (below) the <code>@api_view</code> decorator.  For example, to create a view that uses a <a href="api-guide/throttling">throttle</a> to ensure it can only be called once per day by a particular user, use the <code>@throttle_classes</code> decorator, passing a list of throttle classes:</p>
+<p>To override the default settings, REST framework provides a set of additional decorators which can be added to your views.  These must come <em>after</em> (below) the <code>@api_view</code> decorator.  For example, to create a view that uses a <a href="throttling">throttle</a> to ensure it can only be called once per day by a particular user, use the <code>@throttle_classes</code> decorator, passing a list of throttle classes:</p>
 <pre class="prettyprint lang-py"><code>from rest_framework.decorators import api_view, throttle_classes
 from rest_framework.throttling import UserRateThrottle