You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2017/11/13 23:00:01 UTC

[jira] [Commented] (MESOS-5918) Replace jsonp with a more secure alternative

    [ https://issues.apache.org/jira/browse/MESOS-5918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250447#comment-16250447 ] 

Alexander Rojas commented on MESOS-5918:
----------------------------------------

For backwards compatibility i think it will be a while before we can completely remove the {{jsonp}} parameter from our codebase, however that doesn't mean we cannot mitigate the problem of the possible attacks by properly treating the {{jsonp}} parameter.

As it is currently implemented, we just return whatever value was given in the parameter, e.g.:

{code}
return OK(_flags(), request.url.query.get("jsonp"));
{code}

But we should probably parse that {{jsonp}} is just a JS identifier. Apparently just Internet Explorer up to version 11 is vulnerable to this attack.

> Replace jsonp with a more secure alternative
> --------------------------------------------
>
>                 Key: MESOS-5918
>                 URL: https://issues.apache.org/jira/browse/MESOS-5918
>             Project: Mesos
>          Issue Type: Improvement
>          Components: webui
>            Reporter: Yan Xu
>
> We currently use the {{jsonp}} technique to bypass CORS check. This practice has many security concerns (see discussions on MESOS-5911) so we should replace it with a better alternative.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)