You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Marshall Shi <sh...@cn.ibm.com> on 2012/10/09 06:29:33 UTC
Re: Review Request: allow container to exclude JSONP access
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/
-----------------------------------------------------------
(Updated Oct. 9, 2012, 4:29 a.m.)
Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
Changes
-------
Call for comments.
Description
-------
Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
Why would Shindig ship unused functionality that FORCES all containers to do extra work?
The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
This addresses bug shindig-1837.
https://issues.apache.org/jira/browse/shindig-1837
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
Diff: https://reviews.apache.org/r/6652/diff/
Testing
-------
Done
Thanks,
Marshall Shi
Re: Review Request: allow container to exclude JSONP access
Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review15315
-----------------------------------------------------------
Ship it!
Lets see if anyone else has any feedback. Give it a few more says. Might want to send a reminder to the dev list to get people to take one last look.
- Ryan Baxter
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>
Re: Review Request: allow container to exclude JSONP access
Posted by Marshall Shi <sh...@cn.ibm.com>.
> On Nov. 21, 2012, 6:49 a.m., Marshall Shi wrote:
> > Another call for review comments.
Call for comments again.
- Marshall
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review13664
-----------------------------------------------------------
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>
Re: Review Request: allow container to exclude JSONP access
Posted by Marshall Shi <sh...@cn.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review13664
-----------------------------------------------------------
Another call for review comments.
- Marshall Shi
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>
Re: Review Request: allow container to exclude JSONP access
Posted by Henry Saputra <hs...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review15326
-----------------------------------------------------------
Ship it!
Ship It!
- Henry Saputra
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>
Re: Review Request: allow container to exclude JSONP access
Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review15521
-----------------------------------------------------------
Committed revision 1435567. Please close the review.
- Ryan Baxter
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>