Improve rpc security
--------------------
Key: SHINDIG-93
URL: https://issues.apache.org/jira/browse/SHINDIG-93
Project: Shindig
Issue Type: Improvement
Components: Features
Reporter: Kevin Brown
Assignee: Kevin Brown
Attachments: rpc-security.patch
Currently, gadgets.rpc does not correctly validate which iframe sends an RPC
request to the parent page, and it's possible that a malicious gadget could
send rpc calls.
Currently, the only service that this actually presents a significant problem
for is set_pref, which could be used to overwrite existing user prefs. Our
stock implementation of set_pref deals with this by passing a security token
that ensures that only the iframe that was registered for the given id may make
calls as that id.
The attached patch makes this standard feature for all rpc calls, as long as
the parent page appropriately registers a security token for each iframe that
it expects to receive calls from.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
