Marshall Shi created SHINDIG-1837:
-------------------------------------
Summary: Allow containers to exclude JSONP access
Key: SHINDIG-1837
URL: https://issues.apache.org/jira/browse/SHINDIG-1837
Project: Shindig
Issue Type: Improvement
Components: Java
Affects Versions: 2.5.0-beta3
Reporter: Marshall Shi
Fix For: 2.5.0-beta3
All the "RESTful" OpenSocial endpoints support a callback parameter which is
added in front of a JSON response, turning the JSON into JSONP. An attacker can
access this by adding a script tag with a source that links to the OpenSocial
endpoints on his page, when the script is loaded it automatically executes the
function specified in the callback parameter and that function can for instance
send the data to the attacker website.
The proposed improvement is to extract a setting in container.js so application
can disable JSONP feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
