[jira] [Updated] (SHINDIG-1837) Allow containers to exclude JSONP access

Mon, 06 Aug 2012 23:41:11 -0700 

     [ 
https://issues.apache.org/jira/browse/SHINDIG-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marshall Shi updated SHINDIG-1837:
----------------------------------

    Description: 
RPC Servlet entry, DataServiceServlet and JsonRpcServlet support a callback 
parameter which is added in front of a JSON response, turning the JSON into 
JSONP. An attacker can access this by adding a script tag with a source that 
links to these servlet entries on his page, when the script is loaded it 
automatically executes the function specified in the callback parameter and 
that function can for instance send the data to the attacker website.

The proposed improvement is to extract a setting so application can disable 
JSONP feature. 

  was:
RPC servlet entry supports a callback parameter which is added in front of a 
JSON response, turning the JSON into JSONP. An attacker can access this by 
adding a script tag with a source that links to the RPC servlet entry on his 
page, when the script is loaded it automatically executes the function 
specified in the callback parameter and that function can for instance send the 
data to the attacker website.

The proposed improvement is to extract a setting in container.js so application 
can disable JSONP feature. 

    
> Allow containers to exclude JSONP access
> ----------------------------------------
>
>                 Key: SHINDIG-1837
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1837
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: 2.5.0-beta3
>            Reporter: Marshall Shi
>             Fix For: 2.5.0-beta3
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> RPC Servlet entry, DataServiceServlet and JsonRpcServlet support a callback 
> parameter which is added in front of a JSON response, turning the JSON into 
> JSONP. An attacker can access this by adding a script tag with a source that 
> links to these servlet entries on his page, when the script is loaded it 
> automatically executes the function specified in the callback parameter and 
> that function can for instance send the data to the attacker website.
> The proposed improvement is to extract a setting so application can disable 
> JSONP feature. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to