diff --git a/htdocs/js/app.js b/htdocs/js/app.js
index 76915331..d983ba35 100755
--- a/htdocs/js/app.js
+++ b/htdocs/js/app.js
@@ -22,7 +22,7 @@ app.extend({
 		// receive config from server
 		if (resp.code) {
 			app.showProgress( 1.0, "Waiting for master server..." );
-			setTimeout( function() { load_script( '/api/app/config?callback=app.receiveConfig' ); }, 1000 );
+			setTimeout( function() { load_script( '/api/app/config' ); }, 1000 );
 			return;
 		}
 		delete resp.code;
diff --git a/htdocs/js/pages/Login.class.js b/htdocs/js/pages/Login.class.js
index 139bb358..41c2a8b3 100644
--- a/htdocs/js/pages/Login.class.js
+++ b/htdocs/js/pages/Login.class.js
@@ -31,8 +31,6 @@ Class.subclass( Page.Base, "Page.Login", {
 		
 		this.div.css({ 'padding-top':'75px', 'padding-bottom':'75px' });
 		var html = '';
-		// html += '<iframe name="i_login" id="i_login" src="blank.html" width="1" height="1" style="display:none"></iframe>';
-		// html += '<form id="f_login" method="post" action="/api/user/login?format=jshtml&callback=window.parent.%24P%28%29.doFrameLogin" target="i_login">';
 		
 		html += '<div class="inline_dialog_container">';
 			html += '<div class="dialog_title shade-light">User Login</div>';
diff --git a/lib/api/config.js b/lib/api/config.js
index eadeec9b..69184db3 100644
--- a/lib/api/config.js
+++ b/lib/api/config.js
@@ -15,9 +15,6 @@ module.exports = Class.create({
 		// send config to client
 		var self = this;
 		
-		// prevent XSS
-		args.query.callback = 'app.receiveConfig';
-		
 		// do not cache this API response
 		this.forceNoCacheResponse(args);
 		
@@ -54,7 +51,9 @@ module.exports = Class.create({
 			};
 		}
 		
-		callback(resp);
+		// wrap response in JavaScript
+		var payload = 'app.receiveConfig(' + JSON.stringify(resp) + ');' + "\n";
+		callback( "200 OK", { 'Content-Type': 'text/javascript' }, payload );
 	}
 	
 } );
diff --git a/package-lock.json b/package-lock.json
index b19a1824..00aa79b1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
 	"name": "Cronicle",
-	"version": "0.9.48",
+	"version": "0.9.49",
 	"lockfileVersion": 3,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "Cronicle",
-			"version": "0.9.48",
+			"version": "0.9.49",
 			"hasInstallScript": true,
 			"license": "MIT",
 			"dependencies": {
@@ -35,7 +35,7 @@
 				"pixl-server-api": "^1.0.2",
 				"pixl-server-storage": "^3.1.18",
 				"pixl-server-user": "^1.0.22",
-				"pixl-server-web": "^1.3.30",
+				"pixl-server-web": "^2.0.0",
 				"pixl-tools": "^1.1.1",
 				"pixl-webapp": "^2.0.2",
 				"shell-quote": "1.7.3",
@@ -2341,9 +2341,9 @@
 			}
 		},
 		"node_modules/pixl-server-web": {
-			"version": "1.3.30",
-			"resolved": "https://registry.npmjs.org/pixl-server-web/-/pixl-server-web-1.3.30.tgz",
-			"integrity": "sha512-Dz/q/695fuO/GohgsKfs1sZXHiizkMK2a/2EtH/gmMBDa2xWwAReKBQu7uHSDr1z3JZmkGauRQuUHzOIxmqtvA==",
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/pixl-server-web/-/pixl-server-web-2.0.0.tgz",
+			"integrity": "sha512-d5iuZdX+VkLMY/oZ49+2BtIl6RIlwpX1fEjCofXDVGCl2wk0EEScWlMw+B6Uu5U8+sbEKW0BoqbzPiVw6f7kfA==",
 			"dependencies": {
 				"async": "3.2.2",
 				"class-plus": "^1.0.0",
diff --git a/package.json b/package.json
index 70164b20..36e0a59e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "Cronicle",
-	"version": "0.9.48",
+	"version": "0.9.49",
 	"description": "A simple, distributed task scheduler and runner with a web based UI.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/Cronicle",
@@ -52,7 +52,7 @@
 		"pixl-server-api": "^1.0.2",
 		"pixl-server-storage": "^3.1.18",
 		"pixl-server-user": "^1.0.22",
-		"pixl-server-web": "^1.3.30",
+		"pixl-server-web": "^2.0.0",
 		"pixl-tools": "^1.1.1",
 		"pixl-webapp": "^2.0.2",
 		"shell-quote": "1.7.3",
