[jira] [Updated] (SHINDIG-1837) Allow containers to exclude JSONP access

Mon, 10 Sep 2012 22:24:18 -0700 

     [ 
https://issues.apache.org/jira/browse/SHINDIG-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marshall Shi updated SHINDIG-1837:
----------------------------------

    Description: 
Shindig code base supports a 'callback' query parameter on a number of entry 
points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby 
provides JSONP support. However, Shindig has no place that uses this support.

ALL containers based off of Shindig are now forced to protect themselves 
against inappropriate JSONP usage (security issue).

Why would Shindig ship unused functionality that FORCES all containers to do 
extra work? 

The proposed improvement is to extract a setting so application can disable 
JSONP feature. In the longer term, we can deprecate this feature and remove it 
if no one is depending on this feature.

  was:
RPC Servlet entry, DataServiceServlet and JsonRpcServlet support a callback 
parameter which is added in front of a JSON response, turning the JSON into 
JSONP. An attacker can access this by adding a script tag with a source that 
links to these servlet entries on his page, when the script is loaded it 
automatically executes the function specified in the callback parameter and 
that function can for instance send the data to the attacker website.

The proposed improvement is to extract a setting so application can disable 
JSONP feature. 

    
> Allow containers to exclude JSONP access
> ----------------------------------------
>
>                 Key: SHINDIG-1837
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1837
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: 2.5.0-beta3
>            Reporter: Marshall Shi
>             Fix For: 2.5.0-beta3
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> Shindig code base supports a 'callback' query parameter on a number of entry 
> points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby 
> provides JSONP support. However, Shindig has no place that uses this support.
> ALL containers based off of Shindig are now forced to protect themselves 
> against inappropriate JSONP usage (security issue).
> Why would Shindig ship unused functionality that FORCES all containers to do 
> extra work? 
> The proposed improvement is to extract a setting so application can disable 
> JSONP feature. In the longer term, we can deprecate this feature and remove 
> it if no one is depending on this feature.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to