Hi Jonathan,
Why are we submitting the request to a JSP? Wouldn't it make more sense
submitting to an actual backend service. How about a special system
mashup?
Thanks,
Keith,
Jonathan Marsh wrote:
FYI, here's my new code. The WSRequestXSS.js goes next to WSRequest.js,
WSRequestXSSproxy.jsp goes in with the other jsps, and this index.html can
go in system/version/www. I then open it up in the browser as usual, then
change the domain to my machine name (e.g. replace localhost with
"dellicious"). The parameters all get to the jsp ok, I just send a debug
message back at present rather than calling the actual web service.
Still some thinking to do: Should this replace the existing WSRequest.js?
Or be a special option one must ask for? Right now this code replaces the
Google Gadget GET proxy code as well - but I'm not totally sure this will
work. Testing needed. On IE too.
Jonathan Marsh - http://www.wso2.com - http://auburnmarshes.spaces.live.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jonathan Marsh
Sent: Wednesday, June 18, 2008 9:25 PM
To: [EMAIL PROTECTED]; [email protected]
Subject: RE: [mashup-dev] XSS solution?
OK, I've got the script tunnel pretty well in hand, passing all the
arguments to WSRequest.open and WSRequest.send to a .jsp on the mashup
server. Now, I just need to invoke the Web Service. Do we have a
WSRequest
object that is accessible from within a jsp? Or do I have to clone the
Axis
code in the WSRequest Host Object?
Jonathan Marsh - http://www.wso2.com -
http://auburnmarshes.spaces.live.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:mashup-dev-
[EMAIL PROTECTED]
On Behalf Of Keith Chapman
Sent: Monday, June 16, 2008 6:48 PM
To: [email protected]
Subject: Re: [mashup-dev] XSS solution?
+1
Thanks,
Keith.
Jonathan Marsh wrote:
We're getting an increasing number of questions about XSS,
preventing
people
from using the mashup within a web page served from a different
domain.
I'm quite tempted to complete my script-injection workaround, and
make it
available (at least as an alternate version). I hope people don't
go
into
production with a solution that might be used to simplify XSS
attacks, but
XSS is really quite a pain during the development and testing
phase.
In
addition to using the alternative WSRequest.js version, I'll
require
a
script wrapper proxy (.jsp?) installed on the mashup server.
The alternative of writing proxies for the primary domain is safer
but isn't
as appealing since we'd need to write one for Apache, for IIS, and
who knows
what else.
What do you think? Will we be perceived as evil?
P.S. if I do succeed in this, it shows what a joke XSS is.
P.P.S. still a chance I can fail, in which case the joke will be on
me ;-).
Jonathan Marsh - <http://www.wso2.com> http://www.wso2.com -
<http://auburnmarshes.spaces.live.com>
http://auburnmarshes.spaces.live.com
-------------------------------------------------------------------
--
---
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
------------------------------------------------------------------------
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
