You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Jesse Kuhnert (JIRA)" <de...@tapestry.apache.org> on 2007/05/02 03:41:15 UTC
[jira] Updated: (TAPESTRY-1397) Secure integrated JSON
functionality from JavaScript Hijacking
[ https://issues.apache.org/jira/browse/TAPESTRY-1397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jesse Kuhnert updated TAPESTRY-1397:
------------------------------------
Fix Version/s: 4.2
> Secure integrated JSON functionality from JavaScript Hijacking
> --------------------------------------------------------------
>
> Key: TAPESTRY-1397
> URL: https://issues.apache.org/jira/browse/TAPESTRY-1397
> Project: Tapestry
> Issue Type: Task
> Components: JavaScript
> Affects Versions: 4.1.2, 4.2
> Reporter: Greg Woolsey
> Fix For: 4.2
>
>
> See
> http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
> for details and simple solution options.
> The security document indicates the Dojo project is already looking into the issue, so some coordination is probably in order, but I wanted to add an issue to track progress and thinking.
> The reccomendation to include the session cookie if available in all JSON requests, and validate it on the server, is something Tapestry could incorporate easily. If there is a JSESSIONID cookie on the page generating the request, use it, otherwise send a "no-session" value. The server would then check to see if there really was no session, or if the parameter matched the current request's sesison.
> Also, the client-side suggestion of munging the response JS so it needs modification before execution is a good one. This is probably where Dojo changes would fit in. Personally, I like the infinite while loop suggestion, but that's just spite ;-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org