Re: Review Request 55691: Fix XSS vulnerability in pailer invocation.

Jacob Janco Thu, 19 Jan 2017 12:41:49 -0800


> On Jan. 19, 2017, 4:27 p.m., haosdent huang wrote:
> > Hi, seems set `document.cookie` could work instead of use localstorage. The 
> > problem of localstorage is not supported some old browsers. Have you try 
> > set cookie before?


I think the attack vector would be similar if we were to pass the url through a 
cookie. localStorage is supported by: 

               
Feature         Chrome  Firefox (Gecko) Internet Explorer       Opera   Safari 
(WebKit)
localStorage    4           3.5             8                   10.50   4
sessionStorage  5           2               8                   10.50   4

I think this is fairly good coverage especially considering Microsoft's end of 
support for legacy browsers. If it becomes an issue we can definitely rethink 
this.


> On Jan. 19, 2017, 4:27 p.m., haosdent huang wrote:
> > src/webui/master/static/pailer.html, lines 46-68
> > <https://reviews.apache.org/r/55691/diff/1/?file=1608498#file1608498line46>
> >
> >     I think we remove this snippet?

This block of code keeps localStorage clean and sets the sessionStorage for the 
life of the open pailer window, so we need to persist the value through reloads.


> On Jan. 19, 2017, 4:27 p.m., haosdent huang wrote:
> > src/webui/master/static/pailer.html, line 80
> > <https://reviews.apache.org/r/55691/diff/1/?file=1608498#file1608498line80>
> >
> >     I think we could `localStorage.getItem/removeItem` above and use it 
> > here directly?

storageKey is scoped above this to keep it out of the global namespace


- Jacob


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55691/#review162303
-----------------------------------------------------------


On Jan. 18, 2017, 11:40 p.m., Jacob Janco wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55691/
> -----------------------------------------------------------
> 
> (Updated Jan. 18, 2017, 11:40 p.m.)
> 
> 
> Review request for mesos, haosdent huang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-6947
>     https://issues.apache.org/jira/browse/MESOS-6947
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Fix XSS vulnerability in pailer invocation.
> 
> 
> Diffs
> -----
> 
>   src/webui/master/static/js/controllers.js 
> 388ca2447716cbc7141da6a20daf2340621a16e8 
>   src/webui/master/static/pailer.html 
> 19e0981143bd7e8372b49f4f036867e9dd05727a 
> 
> Diff: https://reviews.apache.org/r/55691/diff/
> 
> 
> Testing
> -------
> 
> make -j8 + test framework + checking pailer representation of files in sandbox
> 
> 
> Thanks,
> 
> Jacob Janco
> 
>

Re: Review Request 55691: Fix XSS vulnerability in pailer invocation.

Reply via email to