You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Kevin Brown (JIRA)" <ji...@apache.org> on 2008/03/02 00:34:51 UTC

[jira] Closed: (SHINDIG-93) Improve rpc security

     [ https://issues.apache.org/jira/browse/SHINDIG-93?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Brown closed SHINDIG-93.
------------------------------

    Resolution: Fixed

Implemented as of 2/29

> Improve rpc security
> --------------------
>
>                 Key: SHINDIG-93
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-93
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Features
>            Reporter: Kevin Brown
>            Assignee: Kevin Brown
>         Attachments: rpc-security.patch
>
>
> Currently, gadgets.rpc does not correctly validate which iframe sends an RPC request to the parent page, and it's possible that a malicious gadget could send rpc calls.
> Currently, the only service that this actually presents a significant problem for is set_pref, which could be used to overwrite existing user prefs. Our stock implementation of set_pref deals with this by passing a security token that ensures that only the iframe that was registered for the given id may make calls as that id.
> The attached patch makes this standard feature for all rpc calls, as long as the parent page appropriately registers a security token for each iframe that it expects to receive calls from.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.