shindig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Dumont" <ddum...@us.ibm.com>
Subject Re: makeRequest content-disposition header to prevent XSS
Date Tue, 31 Jan 2012 16:27:38 GMT
Well... 

If the shindig server is locked down and properly secured, what 
vulnerability is the Content-Disposition protecting against?
And if the shindig server is not locked down and secured, does the server 
owner really care about security?

Can we just remove this protection altogether and just rely on the 
security of locked domains and secure tokens?



From:   Ryan J Baxter/Westford/IBM@Lotus
To:     dev@shindig.apache.org, 
Date:   01/31/2012 08:44 AM
Subject:        Re: makeRequest content-disposition header to prevent XSS



Would this mean that your changes would only work on IE if locked domains 
are enabled and "secure" security tokens are turned on?


-Ryan




From:   Dan Dumont/Westford/IBM@Lotus
To:     dev@shindig.apache.org, 
Date:   01/30/2012 06:29 PM
Subject:        makeRequest content-disposition header to prevent XSS



I'm looking at the response from makeRequest and was reminded that we do:
    // Always set Content-Disposition header as XSS prevention mechanism.
    response.setHeader("Content-Disposition", "attachment;filename=p.txt"
);

I'm wondering what people think about not doing this in a shindig config 
that uses locked domains and secure tokens?
This detail is crucial to being able to support file upload through the 
makeRequest proxy in IE without the aid of a flash plugin.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message