You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Marshall Shi (JIRA)" <ji...@apache.org> on 2012/09/11 07:24:07 UTC

[jira] [Updated] (SHINDIG-1837) Allow containers to exclude JSONP access

     [ https://issues.apache.org/jira/browse/SHINDIG-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marshall Shi updated SHINDIG-1837:
----------------------------------

    Description: 
Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.

ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).

Why would Shindig ship unused functionality that FORCES all containers to do extra work? 

The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.

  was:
RPC Servlet entry, DataServiceServlet and JsonRpcServlet support a callback parameter which is added in front of a JSON response, turning the JSON into JSONP. An attacker can access this by adding a script tag with a source that links to these servlet entries on his page, when the script is loaded it automatically executes the function specified in the callback parameter and that function can for instance send the data to the attacker website.

The proposed improvement is to extract a setting so application can disable JSONP feature. 

    
> Allow containers to exclude JSONP access
> ----------------------------------------
>
>                 Key: SHINDIG-1837
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1837
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: 2.5.0-beta3
>            Reporter: Marshall Shi
>             Fix For: 2.5.0-beta3
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
> Why would Shindig ship unused functionality that FORCES all containers to do extra work? 
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira