Well, what I need is the following: 1) url available through HTTP GET 2) access to the parameters of that URL (which contain an encoded message body, address, options, etc. 3) ability to invoke a web service 4) ability to serialize the response as a javascript callback function 5) ability to package the result into a text/javascript response
Given these requirements, what's wrong with JSP? A system mashup wouldn't allow me to write an arbitrary string as the response, it has to be wrapped in some XML. Jonathan Marsh - http://www.wso2.com - http://auburnmarshes.spaces.live.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Keith Chapman > Sent: Sunday, June 22, 2008 9:15 PM > To: [email protected] > Subject: Re: [mashup-dev] XSS solution? > > Hi Jonathan, > > Why are we submitting the request to a JSP? Wouldn't it make more sense > submitting to an actual backend service. How about a special system > mashup? > > Thanks, > Keith, > > Jonathan Marsh wrote: > > FYI, here's my new code. The WSRequestXSS.js goes next to > WSRequest.js, > > WSRequestXSSproxy.jsp goes in with the other jsps, and this > index.html can > > go in system/version/www. I then open it up in the browser as usual, > then > > change the domain to my machine name (e.g. replace localhost with > > "dellicious"). The parameters all get to the jsp ok, I just send a > debug > > message back at present rather than calling the actual web service. > > > > Still some thinking to do: Should this replace the existing > WSRequest.js? > > Or be a special option one must ask for? Right now this code > replaces the > > Google Gadget GET proxy code as well - but I'm not totally sure this > will > > work. Testing needed. On IE too. > > > > Jonathan Marsh - http://www.wso2.com - > http://auburnmarshes.spaces.live.com > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:mashup-dev- > [EMAIL PROTECTED] > >> On Behalf Of Jonathan Marsh > >> Sent: Wednesday, June 18, 2008 9:25 PM > >> To: [EMAIL PROTECTED]; [email protected] > >> Subject: RE: [mashup-dev] XSS solution? > >> > >> OK, I've got the script tunnel pretty well in hand, passing all the > >> arguments to WSRequest.open and WSRequest.send to a .jsp on the > mashup > >> server. Now, I just need to invoke the Web Service. Do we have a > >> WSRequest > >> object that is accessible from within a jsp? Or do I have to clone > the > >> Axis > >> code in the WSRequest Host Object? > >> > >> Jonathan Marsh - http://www.wso2.com - > >> http://auburnmarshes.spaces.live.com > >> > >>> -----Original Message----- > >>> From: [EMAIL PROTECTED] [mailto:mashup-dev- > >> [EMAIL PROTECTED] > >>> On Behalf Of Keith Chapman > >>> Sent: Monday, June 16, 2008 6:48 PM > >>> To: [email protected] > >>> Subject: Re: [mashup-dev] XSS solution? > >>> > >>> +1 > >>> > >>> Thanks, > >>> Keith. > >>> > >>> Jonathan Marsh wrote: > >>>> We're getting an increasing number of questions about XSS, > >> preventing > >>> people > >>>> from using the mashup within a web page served from a different > >>> domain. > >>>> > >>>> > >>>> I'm quite tempted to complete my script-injection workaround, and > >>> make it > >>>> available (at least as an alternate version). I hope people don't > >> go > >>> into > >>>> production with a solution that might be used to simplify XSS > >>> attacks, but > >>>> XSS is really quite a pain during the development and testing > >> phase. > >>> In > >>>> addition to using the alternative WSRequest.js version, I'll > >> require > >>> a > >>>> script wrapper proxy (.jsp?) installed on the mashup server. > >>>> > >>>> > >>>> > >>>> The alternative of writing proxies for the primary domain is safer > >>> but isn't > >>>> as appealing since we'd need to write one for Apache, for IIS, and > >>> who knows > >>>> what else. > >>>> > >>>> > >>>> > >>>> What do you think? Will we be perceived as evil? > >>>> > >>>> > >>>> > >>>> P.S. if I do succeed in this, it shows what a joke XSS is. > >>>> > >>>> P.P.S. still a chance I can fail, in which case the joke will be > on > >>> me ;-). > >>>> > >>>> > >>>> Jonathan Marsh - <http://www.wso2.com> http://www.wso2.com - > >>>> <http://auburnmarshes.spaces.live.com> > >>> http://auburnmarshes.spaces.live.com > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> ------------------------------------------------------------------ > - > >> -- > >>> --- > >>>> _______________________________________________ > >>>> Mashup-dev mailing list > >>>> [email protected] > >>>> http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev > >>> > >>> _______________________________________________ > >>> Mashup-dev mailing list > >>> [email protected] > >>> http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev > >> > >> _______________________________________________ > >> Mashup-dev mailing list > >> [email protected] > >> http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev > >> > >> -------------------------------------------------------------------- > ---- > >> > >> _______________________________________________ > >> Mashup-dev mailing list > >> [email protected] > >> http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev > > > _______________________________________________ > Mashup-dev mailing list > [email protected] > http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev _______________________________________________ Mashup-dev mailing list [email protected] http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
