shindig-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javier Pedemonte (JIRA)" <>
Subject [jira] Commented: (SHINDIG-1409) Security updates to RPC
Date Thu, 02 Sep 2010 21:03:53 GMT


Javier Pedemonte commented on SHINDIG-1409:

Some more info on my previous comment:

First, I commented out the 'setupContainerGadgetContext()' call in rpc.js, so it would call
'setupContainerGenericIframe()' instead.  With this change, the test worked just fine, on
Firefox 3.6.

Next, did some debugging and found out that gadgets.config (and probably many other things)
is being included twice inside the gadget context.  What happens is that the call to register
RPC with config happens first, but then another script with 'gadgets.config' class is loaded
and overwrites the existing 'gadgets.config' structures -- this wipes out any previously registered

Eventually, 'gadgets.config.init' is called, but the RPC callback is no longer registered.
 So the RPC service in the gadget context is never fully initialized.

If someone knows what's going on, please fix it.  The HTML sent back from the server for the
gadget loads the following two scripts:

<script src="http://localhost:8080/gadgets/js/rpc.js?container=default&amp;nocache=0&amp;debug=1&amp;c=0&amp;v=d18d1eba3b5cafbf214b5493863639ab"></script>
<script src="http://localhost:8080/gadgets/js/;nocache=0&amp;debug=1&amp;c=0&amp;v=fc6bca5e8a0854744d4323d8e828f975"></script>

Both contain an impl of 'gadgets.config', so the 2nd script overwrites the first.  Not sure
why the 2nd script is included.

> Security updates to RPC
> -----------------------
>                 Key: SHINDIG-1409
>                 URL:
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Javascript 
>    Affects Versions: 2.0.0
>            Reporter: Javier Pedemonte
>            Priority: Minor
>             Fix For: 2.0.0
> Add security features to the RPC layer, as described here:

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message