You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Kevin Brown (JIRA)" <ji...@apache.org> on 2008/02/25 02:48:52 UTC
[jira] Created: (SHINDIG-93) Improve rpc security
Improve rpc security
--------------------
Key: SHINDIG-93
URL: https://issues.apache.org/jira/browse/SHINDIG-93
Project: Shindig
Issue Type: Improvement
Components: Features
Reporter: Kevin Brown
Assignee: Kevin Brown
Attachments: rpc-security.patch
Currently, gadgets.rpc does not correctly validate which iframe sends an RPC request to the parent page, and it's possible that a malicious gadget could send rpc calls.
Currently, the only service that this actually presents a significant problem for is set_pref, which could be used to overwrite existing user prefs. Our stock implementation of set_pref deals with this by passing a security token that ensures that only the iframe that was registered for the given id may make calls as that id.
The attached patch makes this standard feature for all rpc calls, as long as the parent page appropriately registers a security token for each iframe that it expects to receive calls from.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-93) Improve rpc security
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-93?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown updated SHINDIG-93:
-------------------------------
Attachment: rpc-security.patch
> Improve rpc security
> --------------------
>
> Key: SHINDIG-93
> URL: https://issues.apache.org/jira/browse/SHINDIG-93
> Project: Shindig
> Issue Type: Improvement
> Components: Features
> Reporter: Kevin Brown
> Assignee: Kevin Brown
> Attachments: rpc-security.patch
>
>
> Currently, gadgets.rpc does not correctly validate which iframe sends an RPC request to the parent page, and it's possible that a malicious gadget could send rpc calls.
> Currently, the only service that this actually presents a significant problem for is set_pref, which could be used to overwrite existing user prefs. Our stock implementation of set_pref deals with this by passing a security token that ensures that only the iframe that was registered for the given id may make calls as that id.
> The attached patch makes this standard feature for all rpc calls, as long as the parent page appropriately registers a security token for each iframe that it expects to receive calls from.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SHINDIG-93) Improve rpc security
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-93?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown closed SHINDIG-93.
------------------------------
Resolution: Fixed
Implemented as of 2/29
> Improve rpc security
> --------------------
>
> Key: SHINDIG-93
> URL: https://issues.apache.org/jira/browse/SHINDIG-93
> Project: Shindig
> Issue Type: Improvement
> Components: Features
> Reporter: Kevin Brown
> Assignee: Kevin Brown
> Attachments: rpc-security.patch
>
>
> Currently, gadgets.rpc does not correctly validate which iframe sends an RPC request to the parent page, and it's possible that a malicious gadget could send rpc calls.
> Currently, the only service that this actually presents a significant problem for is set_pref, which could be used to overwrite existing user prefs. Our stock implementation of set_pref deals with this by passing a security token that ensures that only the iframe that was registered for the given id may make calls as that id.
> The attached patch makes this standard feature for all rpc calls, as long as the parent page appropriately registers a security token for each iframe that it expects to receive calls from.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.