[ https://issues.apache.org/jira/browse/OFBIZ-5409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13863431#comment-13863431 ]
Jacques Le Roux commented on OFBIZ-5409: ---------------------------------------- While creating a new patch, I stumbled upon this https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses? I checked and found this serious article and comments http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ I also found a neat solution (with a ",," typo in js source) at http://blackbe.lt/safely-handling-json-hijacking-prevention-methods-with-jquery/ Then I checked our JSON calls and they are all using "POST" (the only Ajax "GET" calls are not JSON calls). So we have no current vulnerabilites. Despites this reassuring situation, I think we should add a security like the one used by Google (I prefer the "//" prefix, less disturbing) and use the datafilter checking js script. So I have created 2 patches for review: * "OFBIZ-5409 - Remove internal attributes for security reason.patch" contains only and update of the changes proposed by Gareth but I commented the check on "_ERROR_MESSAGE_" part (should not be commited IMO) * "OFBIZ-5409 - Remove internal attributes for security reason and secure json get.patch" the same, with the datafilter checking js script added. > JSON Response does not set http status on error > ----------------------------------------------- > > Key: OFBIZ-5409 > URL: https://issues.apache.org/jira/browse/OFBIZ-5409 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS > Affects Versions: Release Branch 11.04, SVN trunk, Release Branch 12.04, > Release Branch 13.07 > Reporter: Gareth Carter > Assignee: Jacques Le Roux > Attachments: CommonEvents.patch, OFBIZ-5409 - Remove internal > attributes for security reason and secure json get.patch, OFBIZ-5409 - Remove > internal attributes for security reason.patch, OFBIZ-5409 - Remove internal > attributes for security reason.patch, before-after.diff > > > When a json response is sent and there was an error in the service called, it > does not set the http status. Currently status code is always 200 but it > might be more appropriate to send an error code such as 500. -- This message was sent by Atlassian JIRA (v6.1.5#6160)