You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Marshall Shi <sh...@cn.ibm.com> on 2012/11/21 07:49:08 UTC
Re: Review Request: allow container to exclude JSONP access
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review13664
-----------------------------------------------------------
Another call for review comments.
- Marshall Shi
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>
Re: Review Request: allow container to exclude JSONP access
Posted by Marshall Shi <sh...@cn.ibm.com>.
> On Nov. 21, 2012, 6:49 a.m., Marshall Shi wrote:
> > Another call for review comments.
Call for comments again.
- Marshall
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6652/#review13664
-----------------------------------------------------------
On Oct. 9, 2012, 4:29 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6652/
> -----------------------------------------------------------
>
> (Updated Oct. 9, 2012, 4:29 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> Shindig code base supports a 'callback' query parameter on a number of entry points (RPC Servlet entry, DataServiceServlet and JsonRpcServlet) and thereby provides JSONP support. However, Shindig has no place that uses this support.
>
> ALL containers based off of Shindig are now forced to protect themselves against inappropriate JSONP usage (security issue).
>
> Why would Shindig ship unused functionality that FORCES all containers to do extra work?
>
> The proposed improvement is to extract a setting so application can disable JSONP feature. In the longer term, we can deprecate this feature and remove it if no one is depending on this feature.
>
>
> This addresses bug shindig-1837.
> https://issues.apache.org/jira/browse/shindig-1837
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/conf/shindig.properties 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/RpcServlet.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/RpcServletTest.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/samples/src/test/java/org/apache/shindig/social/opensocial/jpa/spi/integration/JpaRestfulTestConfigHelper.java 1373213
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java 1373213
>
> Diff: https://reviews.apache.org/r/6652/diff/
>
>
> Testing
> -------
>
> Done
>
>
> Thanks,
>
> Marshall Shi
>
>