[jira] [Updated] (SHINDIG-1837) Allow containers to exclude JSONP access

[Marshall Shi (JIRA)]

     [ 
https://issues.apache.org/jira/browse/SHINDIG-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marshall Shi updated SHINDIG-1837:
----------------------------------

    Description: 
RPC servlet entry supports a callback parameter which is added in front of a 
JSON response, turning the JSON into JSONP. An attacker can access this by 
adding a script tag with a source that links to the RPC servlet entry on his 
page, when the script is loaded it automatically executes the function 
specified in the callback parameter and that function can for instance send the 
data to the attacker website.

The proposed improvement is to extract a setting in container.js so application 
can disable JSONP feature. 

  was:
All the "RESTful" OpenSocial endpoints support a callback parameter which is 
added in front of a JSON response, turning the JSON into JSONP. An attacker can 
access this by adding a script tag with a source that links to the OpenSocial 
endpoints on his page, when the script is loaded it automatically executes the 
function specified in the callback parameter and that function can for instance 
send the data to the attacker website.

The proposed improvement is to extract a setting in container.js so application 
can disable JSONP feature. 

    
> Allow containers to exclude JSONP access
> ----------------------------------------
>
>                 Key: SHINDIG-1837
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1837
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: 2.5.0-beta3
>            Reporter: Marshall Shi
>             Fix For: 2.5.0-beta3
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> RPC servlet entry supports a callback parameter which is added in front of a 
> JSON response, turning the JSON into JSONP. An attacker can access this by 
> adding a script tag with a source that links to the RPC servlet entry on his 
> page, when the script is loaded it automatically executes the function 
> specified in the callback parameter and that function can for instance send 
> the data to the attacker website.
> The proposed improvement is to extract a setting in container.js so 
> application can disable JSONP feature. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira