[
https://issues.apache.org/jira/browse/SHINDIG-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13430317#comment-13430317
]
Rich Thompson commented on SHINDIG-1837:
----------------------------------------
Shindig no longer uses this support and since JSONP opens a security hole
(defeats the browser's protection against XSS), I would prefer to simply remove
it rather than introduce yet another configuration item. Anyone currently
dependent on this support?
> Allow containers to exclude JSONP access
> ----------------------------------------
>
> Key: SHINDIG-1837
> URL: https://issues.apache.org/jira/browse/SHINDIG-1837
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0-beta3
> Reporter: Marshall Shi
> Fix For: 2.5.0-beta3
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> RPC Servlet entry, DataServiceServlet and JsonRpcServlet support a callback
> parameter which is added in front of a JSON response, turning the JSON into
> JSONP. An attacker can access this by adding a script tag with a source that
> links to these servlet entries on his page, when the script is loaded it
> automatically executes the function specified in the callback parameter and
> that function can for instance send the data to the attacker website.
> The proposed improvement is to extract a setting so application can disable
> JSONP feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
