[
https://issues.apache.org/jira/browse/SLING-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13098059#comment-13098059
]
Antonio Sanso commented on SLING-2206:
--------------------------------------
apologies for attaching the JSONP link but is where I found a good explanation
of the same origin problem combined with <script src=..
For be vulnerable the JSON output doesn't need to be executable.
Give a look at [0] for an example.
[0]
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
> Preventing the Execution of Unauthorized Script in JSON
> -------------------------------------------------------
>
> Key: SLING-2206
> URL: https://issues.apache.org/jira/browse/SLING-2206
> Project: Sling
> Issue Type: New Feature
> Components: Servlets
> Reporter: Antonio Sanso
> Priority: Minor
>
> For an explanation of the security problem please check [0].
> To see how for example Gmail solves the problem refer to [1]
> I think that would be good to have this feature to be configurable (on by
> default). I would personally opt for adding the while(1); solution (that is
> the same Google use).
> .
> [0]
> http://labs.adobe.com/technologies/spry/samples/data_region/JSONParserSample.html
> [1] http://msujaws.wordpress.com/2011/02/28/xss-prevention-in-gmail/
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
